# Flog Txt Version 1 # Analyzer Version: 3.2.1 # Analyzer Build Date: Jan 15 2020 08:26:44 # Log Creation Date: 20.01.2020 20:01:58.493 Process: id = "1" image_name = "234561.exe" filename = "c:\\users\\fd1hvy\\desktop\\234561.exe" page_root = "0xbd5e000" os_pid = "0x2b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x740" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xee4 [0067.995] GetVersionExA (in: lpVersionInformation=0x19fe60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fe60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0067.997] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0067.997] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2060000 [0068.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0068.022] GetProcAddress (hModule=0x74030000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x7409ebb0 [0068.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0068.023] GetProcAddress (hModule=0x74030000, lpProcName="FlsAlloc") returned 0x74044ae0 [0068.023] GetProcAddress (hModule=0x74030000, lpProcName="FlsGetValue") returned 0x74044b20 [0068.023] GetProcAddress (hModule=0x74030000, lpProcName="FlsSetValue") returned 0x74044b40 [0068.023] GetProcAddress (hModule=0x74030000, lpProcName="FlsFree") returned 0x74044b00 [0068.023] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0xb0) returned 0x20605a8 [0068.024] GetCurrentThreadId () returned 0xee4 [0068.024] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4a4) returned 0x2060660 [0068.024] GetStartupInfoA (in: lpStartupInfo=0x19fe10 | out: lpStartupInfo=0x19fe10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\234561.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.024] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0068.024] GetFileType (hFile=0x0) returned 0x0 [0068.024] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0068.024] GetFileType (hFile=0x0) returned 0x0 [0068.024] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0068.024] GetFileType (hFile=0x0) returned 0x0 [0068.024] SetHandleCount (uNumber=0x20) returned 0x20 [0068.024] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " [0068.024] GetEnvironmentStringsW () returned 0x629de0* [0068.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0068.024] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x589) returned 0x2060b10 [0068.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2060b30, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0068.024] FreeEnvironmentStringsW (penv=0x629de0) returned 1 [0068.024] GetACP () returned 0x4e4 [0068.025] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x244) returned 0x20610a8 [0068.025] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fdcc | out: lpCPInfo=0x19fdcc) returned 1 [0068.025] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f898 | out: lpCPInfo=0x19f898) returned 1 [0068.025] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x19f858 | out: lpCharType=0x19f858) returned 1 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x19f628, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19") returned 256 [0068.025] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19", cchSrc=256, lpCharType=0x19fbb8 | out: lpCharType=0x19fbb8) returned 1 [0068.025] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x19f60c, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%øù\x19üý") returned 256 [0068.025] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%øù\x19üý", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0068.025] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý", cchSrc=256, lpDestStr=0x19f40c, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý") returned 256 [0068.025] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý", cchWideChar=256, lpMultiByteStr=0x19fab8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19f8b0, cbMultiByte=256, lpWideCharStr=0x19f60c, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý") returned 256 [0068.025] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0068.025] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý", cchSrc=256, lpDestStr=0x19f40c, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý") returned 256 [0068.025] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿff@ff@쀀%\x19\x19üý", cchWideChar=256, lpMultiByteStr=0x19f9b8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0068.025] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x449390, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe")) returned 0x22 [0068.025] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4f) returned 0x20612f8 [0068.025] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0xb8) returned 0x2061350 [0068.025] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x43) returned 0x2061410 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4c) returned 0x2061460 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x5b) returned 0x20614b8 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x60) returned 0x2061520 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x55) returned 0x2061588 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x38) returned 0x20615e8 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x48) returned 0x2061628 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x31) returned 0x2061678 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3b) returned 0x20616b8 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4f) returned 0x2061700 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x39) returned 0x2061758 [0068.026] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3b) returned 0x20617a0 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x46) returned 0x20617e8 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x32) returned 0x2061838 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0xe5) returned 0x2061878 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x62) returned 0x2061968 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3f) returned 0x20619d8 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x41) returned 0x2061a20 [0068.027] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x6c) returned 0x2061a70 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x36) returned 0x2061ae8 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3c) returned 0x2061b28 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3f) returned 0x2061b70 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x48) returned 0x2061bb8 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4d) returned 0x2061c08 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x42) returned 0x2061c60 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x8f) returned 0x2061cb0 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3b) returned 0x2061d48 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x33) returned 0x2061d90 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x3a) returned 0x2061dd0 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4c) returned 0x2061e18 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x4b) returned 0x2061e70 [0068.028] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x36) returned 0x2061ec8 [0068.029] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x45) returned 0x2061f08 [0068.029] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x34) returned 0x2061f58 [0068.029] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x40) returned 0x2061f98 [0068.029] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x36) returned 0x2061fe8 [0068.029] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.029] HeapFree (in: hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10 | out: hHeap=0x2060000) returned 1 [0068.030] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0xa4) returned 0x2060b10 [0068.030] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x824) returned 0x2062028 [0068.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x430960) returned 0x0 [0068.030] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.030] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.030] GetCurrentProcessId () returned 0x2b4 [0068.030] GetVersion () returned 0x23f00206 [0068.030] GetCurrentThread () returned 0xfffffffe [0068.030] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x6, OpenAsSelf=1, TokenHandle=0x19fce4 | out: TokenHandle=0x19fce4*=0x0) returned 0 [0068.031] CreateFileMappingA (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4000004, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x400000, lpName="AtlDebugAllocator_FileMappingNameStatic3_2b4") returned 0x144 [0068.031] GetLastError () returned 0x0 [0068.031] MapViewOfFile (hFileMappingObject=0x144, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2150000 [0068.031] GetSystemInfo (in: lpSystemInfo=0x19fcbc | out: lpSystemInfo=0x19fcbc*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0068.031] VirtualAlloc (lpAddress=0x2150000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2150000 [0068.032] GetCurrentProcessId () returned 0x2b4 [0068.032] GetVersion () returned 0x23f00206 [0068.032] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19fa70, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe")) returned 0x22 [0068.032] VirtualAlloc (lpAddress=0x2151000, dwSize=0x2990, flAllocationType=0x1000, flProtect=0x4) returned 0x2151000 [0068.033] GetVersion () returned 0x23f00206 [0068.033] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x19fbb8, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe")) returned 0x22 [0068.033] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.033] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.033] GetVersionExA (in: lpVersionInformation=0x19fd90*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19fd90*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0068.033] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.033] GetVersionExA (in: lpVersionInformation=0x19fd4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xb3587b93, dwMinorVersion=0x19fd04, dwBuildNumber=0x449664, dwPlatformId=0x19fdc0, szCSDVersion="Ð\x9f@wÿw\x09Äþÿÿÿ\x08\x14;w$ø$w") | out: lpVersionInformation=0x19fd4c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0068.033] lstrlenA (lpString="atlTraceGeneral") returned 15 [0068.033] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c44, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=16 | out: lpWideCharStr="atlTraceGeneral") returned 16 [0068.034] VirtualAlloc (lpAddress=0x254fa10, dwSize=0x5f0, flAllocationType=0x1000, flProtect=0x4) returned 0x254f000 [0068.034] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.034] lstrlenA (lpString="atlTraceCOM") returned 11 [0068.034] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c54, cbMultiByte=-1, lpWideCharStr=0x19fdd4, cchWideChar=12 | out: lpWideCharStr="atlTraceCOM") returned 12 [0068.034] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.035] lstrlenA (lpString="atlTraceQI") returned 10 [0068.035] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c60, cbMultiByte=-1, lpWideCharStr=0x19fdd4, cchWideChar=11 | out: lpWideCharStr="atlTraceQI") returned 11 [0068.035] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.035] lstrlenA (lpString="atlTraceRegistrar") returned 17 [0068.035] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c6c, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=18 | out: lpWideCharStr="atlTraceRegistrar") returned 18 [0068.035] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.035] lstrlenA (lpString="atlTraceRefcount") returned 16 [0068.035] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c80, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=17 | out: lpWideCharStr="atlTraceRefcount") returned 17 [0068.035] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.035] lstrlenA (lpString="atlTraceWindowing") returned 17 [0068.035] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443c94, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=18 | out: lpWideCharStr="atlTraceWindowing") returned 18 [0068.036] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.036] lstrlenA (lpString="atlTraceControls") returned 16 [0068.036] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443ca8, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=17 | out: lpWideCharStr="atlTraceControls") returned 17 [0068.036] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.036] lstrlenA (lpString="atlTraceHosting") returned 15 [0068.036] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443cbc, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=16 | out: lpWideCharStr="atlTraceHosting") returned 16 [0068.036] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.036] lstrlenA (lpString="atlTraceDBClient") returned 16 [0068.036] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443ccc, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=17 | out: lpWideCharStr="atlTraceDBClient") returned 17 [0068.036] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.037] lstrlenA (lpString="atlTraceDBProvider") returned 18 [0068.037] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443ce0, cbMultiByte=-1, lpWideCharStr=0x19fdc4, cchWideChar=19 | out: lpWideCharStr="atlTraceDBProvider") returned 19 [0068.037] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.037] lstrlenA (lpString="atlTraceSnapin") returned 14 [0068.037] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443cf4, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=15 | out: lpWideCharStr="atlTraceSnapin") returned 15 [0068.037] VirtualAlloc (lpAddress=0x254f420, dwSize=0x5f0, flAllocationType=0x1000, flProtect=0x4) returned 0x254f000 [0068.037] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.037] lstrlenA (lpString="atlTraceNotImpl") returned 15 [0068.037] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d04, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=16 | out: lpWideCharStr="atlTraceNotImpl") returned 16 [0068.038] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.038] lstrlenA (lpString="atlTraceAllocation") returned 18 [0068.038] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d14, cbMultiByte=-1, lpWideCharStr=0x19fdc4, cchWideChar=19 | out: lpWideCharStr="atlTraceAllocation") returned 19 [0068.038] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.038] lstrlenA (lpString="atlTraceException") returned 17 [0068.038] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d28, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=18 | out: lpWideCharStr="atlTraceException") returned 18 [0068.038] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.038] lstrlenA (lpString="atlTraceTime") returned 12 [0068.038] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d3c, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=13 | out: lpWideCharStr="atlTraceTime") returned 13 [0068.038] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.039] lstrlenA (lpString="atlTraceCache") returned 13 [0068.039] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d4c, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=14 | out: lpWideCharStr="atlTraceCache") returned 14 [0068.039] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.039] lstrlenA (lpString="atlTraceStencil") returned 15 [0068.039] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d5c, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=16 | out: lpWideCharStr="atlTraceStencil") returned 16 [0068.039] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.039] lstrlenA (lpString="atlTraceString") returned 14 [0068.039] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d6c, cbMultiByte=-1, lpWideCharStr=0x19fdcc, cchWideChar=15 | out: lpWideCharStr="atlTraceString") returned 15 [0068.039] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.039] lstrlenA (lpString="atlTraceMap") returned 11 [0068.039] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d7c, cbMultiByte=-1, lpWideCharStr=0x19fdd4, cchWideChar=12 | out: lpWideCharStr="atlTraceMap") returned 12 [0068.039] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.040] lstrlenA (lpString="atlTraceUtil") returned 12 [0068.040] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d88, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=13 | out: lpWideCharStr="atlTraceUtil") returned 13 [0068.040] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.040] lstrlenA (lpString="atlTraceSecurity") returned 16 [0068.040] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443d98, cbMultiByte=-1, lpWideCharStr=0x19fdc8, cchWideChar=17 | out: lpWideCharStr="atlTraceSecurity") returned 17 [0068.040] VirtualAlloc (lpAddress=0x254ee30, dwSize=0x5f0, flAllocationType=0x1000, flProtect=0x4) returned 0x254e000 [0068.040] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.040] lstrlenA (lpString="atlTraceSync") returned 12 [0068.040] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443dac, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=13 | out: lpWideCharStr="atlTraceSync") returned 13 [0068.041] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.041] lstrlenA (lpString="atlTraceISAPI") returned 13 [0068.041] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443dbc, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=14 | out: lpWideCharStr="atlTraceISAPI") returned 14 [0068.041] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.041] lstrlenA (lpString="atlTraceUser") returned 12 [0068.041] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443dcc, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=13 | out: lpWideCharStr="atlTraceUser") returned 13 [0068.041] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.041] lstrlenA (lpString="atlTraceUser2") returned 13 [0068.041] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443ddc, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=14 | out: lpWideCharStr="atlTraceUser2") returned 14 [0068.041] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.041] lstrlenA (lpString="atlTraceUser3") returned 13 [0068.041] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443dec, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=14 | out: lpWideCharStr="atlTraceUser3") returned 14 [0068.042] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.042] lstrlenA (lpString="atlTraceUser4") returned 13 [0068.042] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x443dfc, cbMultiByte=-1, lpWideCharStr=0x19fdd0, cchWideChar=14 | out: lpWideCharStr="atlTraceUser4") returned 14 [0068.042] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.042] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x2060b10) returned 1 [0068.042] GetStartupInfoA (in: lpStartupInfo=0x19ff20 | out: lpStartupInfo=0x19ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\234561.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.042] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0068.044] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19583c | out: lpSystemTimeAsFileTime=0x19583c*(dwLowDateTime=0xa00278fb, dwHighDateTime=0x1d5cfcc)) [0068.045] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x2734) returned 0x2062858 [0068.045] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x74030000 [0068.045] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77390000 [0068.045] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x40c) returned 0x2060bc0 [0068.045] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x40c) returned 0x2064f98 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="WriteProcessMemory") returned 0x74046b70 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="CreateProcessA") returned 0x740445b0 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="VirtualProtectExF") returned 0x0 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="SetThreadContext") returned 0x740466a0 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="GetThreadContext") returned 0x74045580 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="VirtualAllocEx") returned 0x74046990 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="GetCommandLineA") returned 0x74044cb0 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="_lread") returned 0x74086f70 [0068.046] GetProcAddress (hModule=0x74030000, lpProcName="_lopen") returned 0x74086ee0 [0068.047] lstrcpyA (in: lpString1=0x2064fb8, lpString2="Ge" | out: lpString1="Ge") returned="Ge" [0068.047] GetProcAddress (hModule=0x74030000, lpProcName="GetModuleFileNameA") returned 0x74045070 [0068.047] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2062878, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe")) returned 0x22 [0068.047] _lopen (lpPathName="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe"), iReadWrite=0) returned 0x148 [0068.047] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x9896a4) returned 0x2551020 [0068.257] _hread (in: hFile=0x148, lpBuffer=0x2551040, lBytes=315392 | out: lpBuffer=0x2551040*) returned 315392 [0068.258] _hread (in: hFile=0x148, lpBuffer=0x2551040, lBytes=1500000 | out: lpBuffer=0x2551040*) returned 411136 [0068.265] GetProcAddress (hModule=0x74030000, lpProcName="GetModuleFileNameA") returned 0x74045070 [0068.265] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2062878, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe")) returned 0x22 [0068.265] GetProcAddress (hModule=0x77390000, lpProcName="NtUnmapViewOfSection") returned 0x77401fb0 [0068.265] GetProcAddress (hModule=0x74030000, lpProcName="GetCurrentProcess") returned 0x7409ea10 [0068.266] GetProcAddress (hModule=0x74030000, lpProcName="VirtualAllocEx") returned 0x74046990 [0068.266] GetCurrentProcess () returned 0xffffffff [0068.266] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x98a6b9, flAllocationType=0x3000, flProtect=0x40) returned 0x2ee0000 [0068.267] GetProcAddress (hModule=0x74030000, lpProcName="ResumeThread") returned 0x74046380 [0068.303] _lopen (lpPathName="C:\\Users\\FD1HVy\\Desktop\\234561.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\234561.exe"), iReadWrite=0) returned 0x14c [0068.303] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0x9896a4) returned 0x3879020 [0068.537] _hread (in: hFile=0x14c, lpBuffer=0x3879040, lBytes=1000000 | out: lpBuffer=0x3879040*) returned 726528 [0068.537] RtlAllocateHeap (HeapHandle=0x2060000, Flags=0x0, Size=0xf4264) returned 0x4211020 [0068.665] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " [0068.665] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fcb4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19fca4 | out: lpCommandLine="\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" ", lpProcessInformation=0x19fca4*(hProcess=0x154, hThread=0x150, dwProcessId=0xde4, dwThreadId=0x4b4)) returned 1 [0068.681] GetThreadContext (in: hThread=0x150, lpContext=0x19586c | out: lpContext=0x19586c*(ContextFlags=0x10006, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x37f000, Edx=0x0, Ecx=0x0, Eax=0x40fb00, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0068.683] NtUnmapViewOfSection (ProcessHandle=0x154, BaseAddress=0x400000) returned 0x0 [0068.683] VirtualAllocEx (hProcess=0x154, lpAddress=0x400000, dwSize=0xe1000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0068.692] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x400000, lpBuffer=0x4211040*, nSize=0xe1000, lpNumberOfBytesWritten=0x195b44 | out: lpBuffer=0x4211040*, lpNumberOfBytesWritten=0x195b44*=0xe1000) returned 1 [0068.746] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x37f008, lpBuffer=0x195be0*, nSize=0x4, lpNumberOfBytesWritten=0x195b44 | out: lpBuffer=0x195be0*, lpNumberOfBytesWritten=0x195b44*=0x4) returned 1 [0068.746] SetThreadContext (hThread=0x150, lpContext=0x19586c*(ContextFlags=0x10006, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x37f000, Edx=0x0, Ecx=0x0, Eax=0x404393, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0068.747] ResumeThread (hThread=0x150) returned 0x1 [0068.816] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="AtlTraceModuleManager_ProcessAddedStatic3") returned 0x0 [0068.816] UnmapViewOfFile (lpBaseAddress=0x2150000) returned 1 [0068.816] CloseHandle (hObject=0x144) returned 1 [0068.817] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x0) returned 0x430960 [0068.817] GetModuleHandleA (lpModuleName="mscoree.dll") returned 0x0 [0068.817] ExitProcess (uExitCode=0x0) [0068.817] HeapValidate (hHeap=0x2060000, dwFlags=0x0, lpMem=0x20605a8) returned 1 [0068.817] HeapFree (in: hHeap=0x2060000, dwFlags=0x0, lpMem=0x20605a8 | out: hHeap=0x2060000) returned 1 Thread: id = 2 os_tid = 0x43c Process: id = "2" image_name = "234561.exe" filename = "c:\\users\\fd1hvy\\desktop\\234561.exe" page_root = "0x43d9000" os_pid = "0xde4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x2b4" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x4b4 [0070.713] lstrcatA (in: lpString1=0x0, lpString2=0x0 | out: lpString1=0x0) returned 0x0 [0070.715] Sleep (dwMilliseconds=0x2328) [0079.730] EnumResourceNamesA (hModule=0x0, lpType="GEOTEMP", lpEnumFunc=0x40352b, lParam=0x0) [0079.789] GetCursor () returned 0x10007 [0079.789] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.790] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.791] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.792] GetCursor () returned 0x10007 [0079.793] GetCursor () returned 0x10007 [0079.793] GetCursor () returned 0x10007 [0079.793] GetCursor () returned 0x10007 [0079.793] lstrcpyA (in: lpString1=0x407218, lpString2="SVSXCHOST.EXE" | out: lpString1="SVSXCHOST.EXE") returned="SVSXCHOST.EXE" [0079.793] GetCursor () returned 0x10007 [0079.793] lstrlenA (lpString="SVSXCHOST.EXE") returned 13 [0079.793] GetCursor () returned 0x10007 [0079.797] CharLowerBuffA (in: lpsz="SVSXCHOST.EXE", cchLength=0x10007 | out: lpsz="svsxchost.exe") returned 0x10007 [0079.804] GetCursor () returned 0x10007 [0079.804] GetTempPathA (in: nBufferLength=0x104, lpBuffer=0x406461 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0079.805] GetCursor () returned 0x10007 [0079.805] lstrcatA (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpString2="svsxchost.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" [0079.805] GetCursor () returned 0x10007 [0079.805] FindResourceA (hModule=0x0, lpName="SVSXCHOST.EXE", lpType="GEOTEMP") returned 0x482080 [0079.805] LoadResource (hModule=0x0, hResInfo=0x482080) returned 0x4820cc [0079.805] LockResource (hResData=0x4820cc) returned 0x4820cc [0079.805] SizeofResource (hModule=0x0, hResInfo=0x482080) returned 0x5eb6d [0079.805] GetCursor () returned 0x10007 [0079.805] GetCursor () returned 0x10007 [0079.805] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.806] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.807] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.808] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.809] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.810] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.811] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.812] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.813] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.814] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.815] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.816] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.817] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.818] GetCursor () returned 0x10007 [0079.841] GetCursor () returned 0x10007 [0079.841] GetCursor () returned 0x10007 [0079.841] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.842] GetCursor () returned 0x10007 [0079.844] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0079.849] WriteFile (in: hFile=0x1b0, lpBuffer=0x4820cc*, nNumberOfBytesToWrite=0x5eb6d, lpNumberOfBytesWritten=0x19fe34, lpOverlapped=0x0 | out: lpBuffer=0x4820cc*, lpNumberOfBytesWritten=0x19fe34*=0x5eb6d, lpOverlapped=0x0) returned 1 [0079.865] CloseHandle (hObject=0x1b0) returned 1 [0079.887] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0079.888] GetFileSize (in: hFile=0x1b0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5eb6d [0079.893] ReadFile (in: hFile=0x1b0, lpBuffer=0x40749c, nNumberOfBytesToRead=0x5eb6d, lpNumberOfBytesRead=0x19fcc8, lpOverlapped=0x0 | out: lpBuffer=0x40749c*, lpNumberOfBytesRead=0x19fcc8*=0x5eb6d, lpOverlapped=0x0) returned 1 [0079.894] CloseHandle (hObject=0x1b0) returned 1 [0079.894] EnumResourceNamesA (hModule=0x0, lpType="GEOTEMP", lpEnumFunc=0x4022f1, lParam=0x0) returned 1 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.908] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.909] GetCursor () returned 0x10007 [0079.910] lstrcpyA (in: lpString1=0x407218, lpString2="SVSXCHOST.EXE" | out: lpString1="SVSXCHOST.EXE") returned="SVSXCHOST.EXE" [0079.910] GetCursor () returned 0x10007 [0079.910] lstrlenA (lpString="SVSXCHOST.EXE") returned 13 [0079.910] GetCursor () returned 0x10007 [0079.910] CharLowerBuffA (in: lpsz="SVSXCHOST.EXE", cchLength=0x10007 | out: lpsz="svsxchost.exe") returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetTempPathA (in: nBufferLength=0x104, lpBuffer=0x406461 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0079.912] GetCursor () returned 0x10007 [0079.912] lstrcatA (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpString2="svsxchost.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" [0079.912] GetCursor () returned 0x10007 [0079.912] lstrcatA (in: lpString1="", lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.912] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.913] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.914] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.915] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.916] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.917] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.918] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.919] GetCursor () returned 0x10007 [0079.920] GetCursor () returned 0x10007 [0079.921] GetCursor () returned 0x10007 [0079.921] GetCursor () returned 0x10007 [0079.921] GetCursor () returned 0x10007 [0079.921] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.922] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.923] GetCursor () returned 0x10007 [0079.924] GetCursor () returned 0x10007 [0079.924] GetCursor () returned 0x10007 [0079.924] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.937] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.938] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.939] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.940] GetCursor () returned 0x10007 [0079.951] lstrcpyA (in: lpString1=0x407218, lpString2="SVSXCHOST.EXE" | out: lpString1="SVSXCHOST.EXE") returned="SVSXCHOST.EXE" [0079.951] lstrlenA (lpString="SVSXCHOST.EXE") returned 13 [0079.952] CharLowerBuffA (in: lpsz="SVSXCHOST.EXE", cchLength=0x10007 | out: lpsz="svsxchost.exe") returned 0x10007 [0079.952] GetTempPathA (in: nBufferLength=0x104, lpBuffer=0x406461 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0079.952] lstrcatA (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpString2="svsxchost.exe" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" [0079.952] FindResourceA (hModule=0x0, lpName="SVSXCHOST.EXE", lpType="GEOTEMP") returned 0x482080 [0079.952] LoadResource (hModule=0x0, hResInfo=0x482080) returned 0x4820cc [0079.952] LockResource (hResData=0x4820cc) returned 0x4820cc [0079.952] SizeofResource (hModule=0x0, hResInfo=0x482080) returned 0x5eb6d [0079.952] GetCursor () returned 0x10007 [0079.952] GetCursor () returned 0x10007 [0079.952] GetCursor () returned 0x10007 [0079.952] GetCursor () returned 0x10007 [0079.952] GetCursor () returned 0x10007 [0079.952] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.953] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.954] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0079.955] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.000] GetCursor () returned 0x10007 [0080.001] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0080.005] WriteFile (in: hFile=0x1b0, lpBuffer=0x4820cc*, nNumberOfBytesToWrite=0x5eb6d, lpNumberOfBytesWritten=0x19f84c, lpOverlapped=0x0 | out: lpBuffer=0x4820cc*, lpNumberOfBytesWritten=0x19f84c*=0x5eb6d, lpOverlapped=0x0) returned 1 [0080.013] CloseHandle (hObject=0x1b0) returned 1 [0080.042] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0080.042] GetFileSize (in: hFile=0x1b0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x5eb6d [0080.047] ReadFile (in: hFile=0x1b0, lpBuffer=0x5b3ae8, nNumberOfBytesToRead=0x5eb6d, lpNumberOfBytesRead=0x19f870, lpOverlapped=0x0 | out: lpBuffer=0x5b3ae8*, lpNumberOfBytesRead=0x19f870*=0x5eb6d, lpOverlapped=0x0) returned 1 [0080.048] CloseHandle (hObject=0x1b0) returned 1 [0080.049] CreateFileA (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1b0 [0080.053] WriteFile (in: hFile=0x1b0, lpBuffer=0x5b3ae8*, nNumberOfBytesToWrite=0x5eb6d, lpNumberOfBytesWritten=0x19f870, lpOverlapped=0x0 | out: lpBuffer=0x5b3ae8*, lpNumberOfBytesWritten=0x19f870*=0x5eb6d, lpOverlapped=0x0) returned 1 [0080.061] CloseHandle (hObject=0x1b0) returned 1 [0080.097] GetTempPathA (in: nBufferLength=0x104, lpBuffer=0x406565 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0080.142] ShellExecuteA (hwnd=0x0, lpOperation="OPEN", lpFile="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpParameters=0x0, lpDirectory="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nShowCmd=1) returned 0x2a Thread: id = 4 os_tid = 0xc2c Thread: id = 5 os_tid = 0x10b0 Thread: id = 6 os_tid = 0x10c4 Thread: id = 7 os_tid = 0x10d8 Thread: id = 8 os_tid = 0x10f0 Thread: id = 9 os_tid = 0x1104 Thread: id = 10 os_tid = 0x1118 Process: id = "3" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49390000" os_pid = "0x538" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x24c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:00011899" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 11 os_tid = 0x908 Thread: id = 12 os_tid = 0x900 Thread: id = 13 os_tid = 0x8f8 Thread: id = 14 os_tid = 0x8f0 Thread: id = 15 os_tid = 0x570 Thread: id = 16 os_tid = 0x5a8 Thread: id = 17 os_tid = 0x614 Thread: id = 18 os_tid = 0x610 Thread: id = 19 os_tid = 0x604 Thread: id = 20 os_tid = 0x598 Thread: id = 21 os_tid = 0x594 Thread: id = 22 os_tid = 0x590 Thread: id = 23 os_tid = 0x53c Process: id = "4" image_name = "svsxchost.exe" filename = "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe" page_root = "0x590f4000" os_pid = "0x112c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde4" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 24 os_tid = 0x1148 [0098.203] GetModuleHandleA (lpModuleName=0x0) returned 0xd60000 [0098.205] GetKeyboardType (nTypeFlag=0) returned 4 [0098.491] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " [0098.491] GetStartupInfoA (in: lpStartupInfo=0x12ff74c | out: lpStartupInfo=0x12ff74c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0098.491] GetACP () returned 0x4e4 [0098.491] GetCurrentThreadId () returned 0x1148 [0098.491] GetModuleFileNameA (in: hModule=0xd60000, lpFilename=0x12fe63c, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0098.491] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12fe517, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0098.491] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fe62c | out: phkResult=0x12fe62c*=0x0) returned 0x2 [0098.492] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fe62c | out: phkResult=0x12fe62c*=0x0) returned 0x2 [0098.492] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0x12fe62c | out: phkResult=0x12fe62c*=0x0) returned 0x2 [0098.492] lstrcpynA (in: lpString1=0x12fe517, lpString2="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", iMaxLength=261 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" [0098.492] GetThreadLocale () returned 0x409 [0098.492] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x12fe627, cchData=5 | out: lpLCData="ENU") returned 4 [0098.494] lstrlenA (lpString="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe") returned 48 [0098.494] lstrcpynA (in: lpString1=0x12fe544, lpString2="ENU", iMaxLength=216 | out: lpString1="ENU") returned="ENU" [0098.494] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0098.495] lstrcpynA (in: lpString1=0x12fe544, lpString2="EN", iMaxLength=216 | out: lpString1="EN") returned="EN" [0098.495] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffdf, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffde, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffdc, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffdd, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffd0, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffd8, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffef, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffec, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffd3, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffd2, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe5, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe6, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe7, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe4, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe2, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffe0, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xffff, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xfffe, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.496] LoadStringA (in: hInstance=0xd60000, uID=0xfffd, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfffc, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfffb, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfffa, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff9, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff8, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff7, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff6, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff5, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff4, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] LoadStringA (in: hInstance=0xd60000, uID=0xfff3, lpBuffer=0x12fe76c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.497] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x17b0000 [0098.498] LoadStringA (in: hInstance=0xd60000, uID=0xfff1, lpBuffer=0x12fe758, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.498] LoadStringA (in: hInstance=0xd60000, uID=0xffe1, lpBuffer=0x12fe758, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0098.498] GetVersionExA (in: lpVersionInformation=0x12ff6f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xffffffff, dwMinorVersion=0x12ff714, dwBuildNumber=0x0, dwPlatformId=0x12ff710, szCSDVersion="") | out: lpVersionInformation=0x12ff6f0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0098.498] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0098.498] GetProcAddress (hModule=0x74030000, lpProcName="GetDiskFreeSpaceExA") returned 0x7409ee90 [0098.498] GetThreadLocale () returned 0x409 [0098.498] GetSystemMetrics (nIndex=42) returned 0 [0098.593] GetThreadLocale () returned 0x409 [0098.593] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Jan") returned 4 [0098.593] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="January") returned 8 [0098.593] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Feb") returned 4 [0098.597] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="February") returned 9 [0098.597] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Mar") returned 4 [0098.597] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="March") returned 6 [0098.597] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Apr") returned 4 [0098.597] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="April") returned 6 [0098.607] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="May") returned 4 [0098.607] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="May") returned 4 [0098.607] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Jun") returned 4 [0098.607] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="June") returned 5 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Jul") returned 4 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="July") returned 5 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Aug") returned 4 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="August") returned 7 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Sep") returned 4 [0098.610] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="September") returned 10 [0098.612] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Oct") returned 4 [0098.612] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="October") returned 8 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Nov") returned 4 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="November") returned 9 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Dec") returned 4 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="December") returned 9 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Sun") returned 4 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Sunday") returned 7 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Mon") returned 4 [0098.613] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Monday") returned 7 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Tue") returned 4 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Tuesday") returned 8 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Wed") returned 4 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Wednesday") returned 10 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Thu") returned 4 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Thursday") returned 9 [0098.627] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Fri") returned 4 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Friday") returned 7 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Sat") returned 4 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x12ff5c8, cchData=256 | out: lpLCData="Saturday") returned 9 [0098.628] GetThreadLocale () returned 0x409 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x12ff624, cchData=256 | out: lpLCData="$") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x12ff624, cchData=256 | out: lpLCData="0") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x12ff624, cchData=256 | out: lpLCData="0") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x12ff71c, cchData=2 | out: lpLCData=",") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x12ff71c, cchData=2 | out: lpLCData=".") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x12ff624, cchData=256 | out: lpLCData="2") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x12ff71c, cchData=2 | out: lpLCData="/") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x12ff624, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0098.628] GetThreadLocale () returned 0x409 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x12ff5f0, cchData=256 | out: lpLCData="1") returned 2 [0098.628] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x12ff624, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0098.629] GetThreadLocale () returned 0x409 [0098.629] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x12ff5f0, cchData=256 | out: lpLCData="1") returned 2 [0098.629] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x12ff71c, cchData=2 | out: lpLCData=":") returned 2 [0098.629] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x12ff624, cchData=256 | out: lpLCData="AM") returned 3 [0098.629] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x12ff624, cchData=256 | out: lpLCData="PM") returned 3 [0098.629] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x12ff624, cchData=256 | out: lpLCData="0") returned 2 [0098.632] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x12ff624, cchData=256 | out: lpLCData="0") returned 2 [0098.632] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x12ff624, cchData=256 | out: lpLCData="0") returned 2 [0098.632] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x12ff71c, cchData=2 | out: lpLCData=",") returned 2 [0098.632] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x73e80000 [0098.632] GetProcAddress (hModule=0x73e80000, lpProcName="VariantChangeTypeEx") returned 0x73e9a610 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarNeg") returned 0x73ee52c0 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarNot") returned 0x73ee6560 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarAdd") returned 0x73ebd610 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarSub") returned 0x73ebe3e0 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarMul") returned 0x73ebdb10 [0098.633] GetProcAddress (hModule=0x73e80000, lpProcName="VarDiv") returned 0x73ee5800 [0098.634] GetProcAddress (hModule=0x73e80000, lpProcName="VarIdiv") returned 0x73ee61a0 [0098.634] GetProcAddress (hModule=0x73e80000, lpProcName="VarMod") returned 0x73ee6400 [0098.634] GetProcAddress (hModule=0x73e80000, lpProcName="VarAnd") returned 0x73eb3200 [0098.634] GetProcAddress (hModule=0x73e80000, lpProcName="VarOr") returned 0x73ee6610 [0098.634] GetProcAddress (hModule=0x73e80000, lpProcName="VarXor") returned 0x73ee67b0 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarCmp") returned 0x73ea60b0 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarI4FromStr") returned 0x73ea6ec0 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarR4FromStr") returned 0x73eb3010 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarR8FromStr") returned 0x73eb3630 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarDateFromStr") returned 0x73ea8b90 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarCyFromStr") returned 0x73e92d90 [0098.635] GetProcAddress (hModule=0x73e80000, lpProcName="VarBoolFromStr") returned 0x73ea48f0 [0098.636] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromCy") returned 0x73ea7f50 [0098.636] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromDate") returned 0x73ea89c0 [0098.636] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromBool") returned 0x73ea48a0 [0098.637] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x1f0 [0098.637] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x1f4 [0098.637] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1f8 [0098.638] QueryPerformanceCounter (in: lpPerformanceCount=0x12ff778 | out: lpPerformanceCount=0x12ff778*=25666908240) returned 1 [0098.640] GetTickCount () returned 0x1169300 [0098.640] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " [0098.645] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " [0098.652] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " [0098.654] GetUserDefaultLangID () returned 0x409 [0098.654] GetLocaleInfoA (in: Locale=0x800, LCType=0x5, lpLCData=0x12ff6d4, cchData=19 | out: lpLCData="1") returned 2 [0098.654] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12ff580, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0098.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18659b8, cbMultiByte=17, lpWideCharStr=0x12fe684, cchWideChar=2047 | out: lpWideCharStr="11457D20.zeppelin") returned 17 [0098.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e9780, cbMultiByte=4, lpWideCharStr=0x12fe438, cchWideChar=2047 | out: lpWideCharStr="TEMP\x0e") returned 4 [0098.655] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x12ff45e, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0098.655] SysReAllocStringLen (in: pbstr=0x12ff6a8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0x12ff6a8*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0098.656] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\11457d20.zeppelin"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0098.660] WriteFile (in: hFile=0x1fc, lpBuffer=0x18e1b38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x12ff6ac, lpOverlapped=0x0 | out: lpBuffer=0x18e1b38*, lpNumberOfBytesWritten=0x12ff6ac*=0x1, lpOverlapped=0x0) returned 1 [0098.662] CloseHandle (hObject=0x1fc) returned 1 [0098.665] Sleep (dwMilliseconds=0x29a) [0099.421] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x12ff464 | out: lpFindFileData=0x12ff464*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2422c48, ftCreationTime.dwHighDateTime=0x1d5cfcc, ftLastAccessTime.dwLowDateTime=0xb2422c48, ftLastAccessTime.dwHighDateTime=0x1d5cfcc, ftLastWriteTime.dwLowDateTime=0xb2428e36, ftLastWriteTime.dwHighDateTime=0x1d5cfcc, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="11457D20.zeppelin", cAlternateFileName="11457D~1.ZEP")) returned 0x15ca178 [0099.422] FileTimeToLocalFileTime (in: lpFileTime=0x12ff478, lpLocalFileTime=0x12ff410 | out: lpLocalFileTime=0x12ff410) returned 1 [0099.422] FileTimeToDosDateTime (in: lpFileTime=0x12ff410, lpFatDate=0x12ff446, lpFatTime=0x12ff444 | out: lpFatDate=0x12ff446, lpFatTime=0x12ff444) returned 1 [0099.422] FindClose (in: hFindFile=0x15ca178 | out: hFindFile=0x15ca178) returned 1 [0099.423] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\11457d20.zeppelin")) returned 1 [0099.424] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12ff584, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0099.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x185e688, cbMultiByte=17, lpWideCharStr=0x12fe688, cchWideChar=2047 | out: lpWideCharStr="11457D20.zeppelin") returned 17 [0099.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e9750, cbMultiByte=4, lpWideCharStr=0x12fe43c, cchWideChar=2047 | out: lpWideCharStr="TEMPɠś￾￿įį鿐着㞚￾￿į૗眽") returned 4 [0099.425] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x12ff462, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0099.425] SysReAllocStringLen (in: pbstr=0x12ff6ac*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0x12ff6ac*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0099.425] SysReAllocStringLen (in: pbstr=0x18cc0a8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", len=0x34 | out: pbstr=0x18cc0a8*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin") returned 1 [0099.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd64694, lpParameter=0x18e1b30, dwCreationFlags=0x4, lpThreadId=0x18cc070 | out: lpThreadId=0x18cc070*=0x124c) returned 0x1fc [0099.426] ResumeThread (hThread=0x1fc) returned 0x1 [0099.426] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe\" " [0099.427] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x12ff674 | out: phkResult=0x12ff674*=0x0) returned 0x2 [0099.429] LoadStringA (in: hInstance=0xd60000, uID=0xffed, lpBuffer=0x12fd4ac, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0099.429] VirtualQuery (in: lpAddress=0xd63031, lpBuffer=0x12fe61c, dwLength=0x1c | out: lpBuffer=0x12fe61c*(BaseAddress=0xd63000, AllocationBase=0xd60000, AllocationProtect=0x80, RegionSize=0x2e000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0099.430] GetModuleFileNameA (in: hModule=0xd60000, lpFilename=0x12fe517, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0099.430] LoadStringA (in: hInstance=0xd60000, uID=0xffc2, lpBuffer=0x12fd4a4, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0099.430] RtlUnwind (TargetFrame=0x12ff68c, TargetIp=0xd63fa8, ExceptionRecord=0x12feb14, ReturnValue=0x0) [0099.430] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0x12ff678, lpdwDisposition=0x12ff67c | out: phkResult=0x12ff678*=0x200, lpdwDisposition=0x12ff67c*=0x1) returned 0x0 [0099.431] RegSetValueExA (in: hKey=0x200, lpValueName="Process", Reserved=0x0, dwType=0x1, lpData="SLx8lFAF9YZQA5iB+vym2jhDKXAUlBUHrz0MTFAbkroc4CC5s0J0upI99/Q=", cbData=0x3d | out: lpData="SLx8lFAF9YZQA5iB+vym2jhDKXAUlBUHrz0MTFAbkroc4CC5s0J0upI99/Q=") returned 0x0 [0099.433] RegCloseKey (hKey=0x200) returned 0x0 [0099.433] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e97b0, cbMultiByte=7, lpWideCharStr=0x12fe408, cchWideChar=2047 | out: lpWideCharStr="APPDATAį㾨Ö#") returned 7 [0099.433] GetEnvironmentVariableW (in: lpName="APPDATA", lpBuffer=0x12ff42e, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x1f [0099.434] SysReAllocStringLen (in: pbstr=0x12ff6a4*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Roaming", len=0x1f | out: pbstr=0x12ff6a4*="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 1 [0099.434] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18da748, cbMultiByte=18, lpWideCharStr=0x12fe62c, cchWideChar=2047 | out: lpWideCharStr="Microsoft\\Windows\\〱Ö靠Ǝįįį") returned 18 [0099.434] SysReAllocStringLen (in: pbstr=0x12ff6b0*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\", len=0x32 | out: pbstr=0x12ff6b0*="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\") returned 1 [0099.434] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows")) returned 0x10 [0099.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18da728, cbMultiByte=12, lpWideCharStr=0x12fe630, cchWideChar=2047 | out: lpWideCharStr="explorer.exeows\\〱Ö靠Ǝįįį") returned 12 [0099.435] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0 [0099.435] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12ff420, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0099.435] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe"), bFailIfExists=0) returned 1 [0100.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e1b88, cbMultiByte=1, lpWideCharStr=0x12fe630, cchWideChar=2047 | out: lpWideCharStr="\"į") returned 1 [0100.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e9738, cbMultiByte=8, lpWideCharStr=0x12fe628, cchWideChar=2047 | out: lpWideCharStr="\" -start") returned 8 [0100.007] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x1857358, cbMultiByte=58, lpWideCharStr=0x12fe62c, cchWideChar=2047 | out: lpWideCharStr="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer.exe") returned 58 [0100.007] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0x12ff5fc, lpdwDisposition=0x12ff600 | out: phkResult=0x12ff5fc*=0x200, lpdwDisposition=0x12ff600*=0x2) returned 0x0 [0100.008] RegSetValueExW (in: hKey=0x200, lpValueName="explorer.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start", cbData=0x90 | out: lpData="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start") returned 0x0 [0100.008] RegCloseKey (hKey=0x200) returned 0x0 [0100.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e9780, cbMultiByte=6, lpWideCharStr=0x12fe5f0, cchWideChar=2047 | out: lpWideCharStr="-start㇜Ŝįt") returned 6 [0100.009] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e97e0, cbMultiByte=4, lpWideCharStr=0x12fe5e8, cchWideChar=2047 | out: lpWideCharStr="open-start㇜Ŝįt") returned 4 [0100.009] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpParameters="-start", lpDirectory=0x0, nShowCmd=1) returned 0x2a [0101.131] GetCurrentProcess () returned 0xffffffff [0101.131] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x12ff644 | out: TokenHandle=0x12ff644*=0x2b0) returned 1 [0101.131] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12ff638 | out: lpLuid=0x12ff638*(LowPart=0x14, HighPart=0)) returned 1 [0101.172] AdjustTokenPrivileges (in: TokenHandle=0x2b0, DisableAllPrivileges=0, NewState=0x12ff624*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x12ff634 | out: PreviousState=0x0, ReturnLength=0x12ff634) returned 1 [0101.172] CloseHandle (hObject=0x2b0) returned 1 [0101.172] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18e97e0, cbMultiByte=11, lpWideCharStr=0x12fe63c, cchWideChar=2047 | out: lpWideCharStr="notepad.exe") returned 11 [0101.172] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="notepad.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000044, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x12ff674*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12ff664 | out: lpCommandLine="notepad.exe", lpProcessInformation=0x12ff664*(hProcess=0x36c, hThread=0x2b0, dwProcessId=0x1134, dwThreadId=0x7b4)) returned 1 [0103.860] CloseHandle (hObject=0x2b0) returned 1 [0103.860] OpenProcessToken (in: ProcessHandle=0x1134, DesiredAccess=0x28, TokenHandle=0x12ff644 | out: TokenHandle=0x12ff644*=0x0) returned 0 [0103.860] LookupPrivilegeValueA (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12ff638 | out: lpLuid=0x12ff638*(LowPart=0x14, HighPart=0)) returned 1 [0103.863] AdjustTokenPrivileges (in: TokenHandle=0x0, DisableAllPrivileges=0, NewState=0x12ff624*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x10, PreviousState=0x0, ReturnLength=0x12ff634 | out: PreviousState=0x0, ReturnLength=0x12ff634) returned 0 [0103.863] CloseHandle (hObject=0x0) returned 0 [0103.863] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x1134) returned 0x2b0 [0103.863] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.863] GetProcAddress (hModule=0x74030000, lpProcName="DeleteFileW") returned 0x7409ed40 [0103.863] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.863] GetProcAddress (hModule=0x74030000, lpProcName="ExitProcess") returned 0x74043cb0 [0103.864] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.864] GetProcAddress (hModule=0x74030000, lpProcName="Sleep") returned 0x74046760 [0103.864] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x12ff3ec, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\svsxchost.exe")) returned 0x30 [0103.864] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x61, flAllocationType=0x3000, flProtect=0x40) returned 0xe50000 [0103.864] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0xe50000, lpBuffer=0x1600714*, nSize=0x61, lpNumberOfBytesWritten=0x12ff640 | out: lpBuffer=0x1600714*, lpNumberOfBytesWritten=0x12ff640*=0x61) returned 1 [0103.866] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x40) returned 0xe60000 [0103.937] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0xe60000, lpBuffer=0x12ff62c*, nSize=0x10, lpNumberOfBytesWritten=0x12ff640 | out: lpBuffer=0x12ff62c*, lpNumberOfBytesWritten=0x12ff640*=0x10) returned 1 [0103.938] VirtualAllocEx (hProcess=0x2b0, lpAddress=0x0, dwSize=0x1f4, flAllocationType=0x3000, flProtect=0x40) returned 0xe70000 [0103.939] WriteProcessMemory (in: hProcess=0x2b0, lpBaseAddress=0xe70000, lpBuffer=0xd8c2ec*, nSize=0x1f4, lpNumberOfBytesWritten=0x12ff640 | out: lpBuffer=0xd8c2ec*, lpNumberOfBytesWritten=0x12ff640*=0x1f4) returned 1 [0103.940] CreateRemoteThread (in: hProcess=0x2b0, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xe70000, lpParameter=0xe60000, dwCreationFlags=0x0, lpThreadId=0x12ff63c | out: lpThreadId=0x12ff63c*=0x5e0) returned 0x358 [0103.942] CloseHandle (hObject=0x2b0) returned 1 [0103.942] Sleep (dwMilliseconds=0x3e8) [0105.116] ExitProcess (uExitCode=0xdeadface) Thread: id = 25 os_tid = 0x115c Thread: id = 26 os_tid = 0x1184 Thread: id = 28 os_tid = 0x124c [0099.970] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x77390000, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x326fac8, nFileSizeHigh=0x110d000, nFileSizeLow=0x1101000, dwReserved0=0x0, dwReserved1=0x326fa54, cFileName="", cAlternateFileName="")) returned 0xffffffff [0099.971] GetLastError () returned 0x2 [0099.971] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x228) returned 0x0 [0099.972] RegQueryValueExA (in: hKey=0x228, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0099.972] RegCloseKey (hKey=0x228) returned 0x0 [0099.972] Sleep (dwMilliseconds=0xa) [0100.065] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.232] GetLastError () returned 0x2 [0100.232] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x254) returned 0x0 [0100.233] RegQueryValueExA (in: hKey=0x254, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.233] RegCloseKey (hKey=0x254) returned 0x0 [0100.233] Sleep (dwMilliseconds=0xa) [0100.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.281] GetLastError () returned 0x2 [0100.281] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x294) returned 0x0 [0100.281] RegQueryValueExA (in: hKey=0x294, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.281] RegCloseKey (hKey=0x294) returned 0x0 [0100.281] Sleep (dwMilliseconds=0xa) [0100.367] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.367] GetLastError () returned 0x2 [0100.368] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x288) returned 0x0 [0100.368] RegQueryValueExA (in: hKey=0x288, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.368] RegCloseKey (hKey=0x288) returned 0x0 [0100.368] Sleep (dwMilliseconds=0xa) [0100.555] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.555] GetLastError () returned 0x2 [0100.555] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x324) returned 0x0 [0100.555] RegQueryValueExA (in: hKey=0x324, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.555] RegCloseKey (hKey=0x324) returned 0x0 [0100.555] Sleep (dwMilliseconds=0xa) [0100.604] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.604] GetLastError () returned 0x2 [0100.604] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x380) returned 0x0 [0100.604] RegQueryValueExA (in: hKey=0x380, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.604] RegCloseKey (hKey=0x380) returned 0x0 [0100.604] Sleep (dwMilliseconds=0xa) [0100.643] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.644] GetLastError () returned 0x2 [0100.644] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x390) returned 0x0 [0100.644] RegQueryValueExA (in: hKey=0x390, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.644] RegCloseKey (hKey=0x390) returned 0x0 [0100.644] Sleep (dwMilliseconds=0xa) [0100.692] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.693] GetLastError () returned 0x2 [0100.693] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x3d8) returned 0x0 [0100.693] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.693] RegCloseKey (hKey=0x3d8) returned 0x0 [0100.693] Sleep (dwMilliseconds=0xa) [0100.903] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.903] GetLastError () returned 0x2 [0100.904] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x3d8) returned 0x0 [0100.904] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.904] RegCloseKey (hKey=0x3d8) returned 0x0 [0100.904] Sleep (dwMilliseconds=0xa) [0100.929] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.929] GetLastError () returned 0x2 [0100.929] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x3d8) returned 0x0 [0100.929] RegQueryValueExA (in: hKey=0x3d8, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.929] RegCloseKey (hKey=0x3d8) returned 0x0 [0100.930] Sleep (dwMilliseconds=0xa) [0100.993] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0100.993] GetLastError () returned 0x2 [0100.993] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x438) returned 0x0 [0100.994] RegQueryValueExA (in: hKey=0x438, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0100.994] RegCloseKey (hKey=0x438) returned 0x0 [0100.994] Sleep (dwMilliseconds=0xa) [0101.031] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.032] GetLastError () returned 0x2 [0101.032] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x440) returned 0x0 [0101.032] RegQueryValueExA (in: hKey=0x440, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.032] RegCloseKey (hKey=0x440) returned 0x0 [0101.032] Sleep (dwMilliseconds=0xa) [0101.085] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.086] GetLastError () returned 0x2 [0101.086] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x454) returned 0x0 [0101.086] RegQueryValueExA (in: hKey=0x454, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.086] RegCloseKey (hKey=0x454) returned 0x0 [0101.086] Sleep (dwMilliseconds=0xa) [0101.169] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.169] GetLastError () returned 0x2 [0101.169] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x36c) returned 0x0 [0101.169] RegQueryValueExA (in: hKey=0x36c, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.170] RegCloseKey (hKey=0x36c) returned 0x0 [0101.170] Sleep (dwMilliseconds=0xa) [0101.214] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.215] GetLastError () returned 0x2 [0101.215] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.215] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.215] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.215] Sleep (dwMilliseconds=0xa) [0101.258] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.259] GetLastError () returned 0x2 [0101.259] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.259] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.259] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.259] Sleep (dwMilliseconds=0xa) [0101.301] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.301] GetLastError () returned 0x2 [0101.301] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.301] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.301] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.302] Sleep (dwMilliseconds=0xa) [0101.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.329] GetLastError () returned 0x2 [0101.329] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.329] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.329] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.329] Sleep (dwMilliseconds=0xa) [0101.383] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.384] GetLastError () returned 0x2 [0101.384] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.384] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.384] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.384] Sleep (dwMilliseconds=0xa) [0101.444] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0101.444] GetLastError () returned 0x2 [0101.444] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0101.444] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0101.445] RegCloseKey (hKey=0x2b0) returned 0x0 [0101.445] Sleep (dwMilliseconds=0xa) [0101.481] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.176] GetLastError () returned 0x2 [0102.177] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.177] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.177] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.177] Sleep (dwMilliseconds=0xa) [0102.205] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.206] GetLastError () returned 0x2 [0102.206] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.206] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.206] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.206] Sleep (dwMilliseconds=0xa) [0102.221] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.222] GetLastError () returned 0x2 [0102.222] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.222] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.222] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.222] Sleep (dwMilliseconds=0xa) [0102.248] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.248] GetLastError () returned 0x2 [0102.248] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.249] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.249] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.249] Sleep (dwMilliseconds=0xa) [0102.266] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.267] GetLastError () returned 0x2 [0102.267] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.267] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.267] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.267] Sleep (dwMilliseconds=0xa) [0102.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.281] GetLastError () returned 0x2 [0102.281] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.281] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.281] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.281] Sleep (dwMilliseconds=0xa) [0102.308] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.308] GetLastError () returned 0x2 [0102.308] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.308] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.308] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.308] Sleep (dwMilliseconds=0xa) [0102.328] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.328] GetLastError () returned 0x2 [0102.328] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.328] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.329] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.329] Sleep (dwMilliseconds=0xa) [0102.342] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.342] GetLastError () returned 0x2 [0102.342] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.343] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.343] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.343] Sleep (dwMilliseconds=0xa) [0102.358] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.358] GetLastError () returned 0x2 [0102.358] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.358] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.358] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.358] Sleep (dwMilliseconds=0xa) [0102.375] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.376] GetLastError () returned 0x2 [0102.376] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.376] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.376] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.376] Sleep (dwMilliseconds=0xa) [0102.406] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.406] GetLastError () returned 0x2 [0102.406] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.406] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.406] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.407] Sleep (dwMilliseconds=0xa) [0102.422] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.422] GetLastError () returned 0x2 [0102.422] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.422] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.422] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.422] Sleep (dwMilliseconds=0xa) [0102.443] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.444] GetLastError () returned 0x2 [0102.444] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.444] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.444] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.444] Sleep (dwMilliseconds=0xa) [0102.467] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.467] GetLastError () returned 0x2 [0102.467] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.467] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.468] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.468] Sleep (dwMilliseconds=0xa) [0102.484] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.485] GetLastError () returned 0x2 [0102.485] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.485] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.485] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.485] Sleep (dwMilliseconds=0xa) [0102.499] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.499] GetLastError () returned 0x2 [0102.500] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.500] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.500] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.500] Sleep (dwMilliseconds=0xa) [0102.514] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.514] GetLastError () returned 0x2 [0102.514] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.515] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.515] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.515] Sleep (dwMilliseconds=0xa) [0102.531] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.532] GetLastError () returned 0x2 [0102.532] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.532] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.532] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.532] Sleep (dwMilliseconds=0xa) [0102.546] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.546] GetLastError () returned 0x2 [0102.546] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.547] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.547] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.547] Sleep (dwMilliseconds=0xa) [0102.561] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.561] GetLastError () returned 0x2 [0102.561] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.561] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.561] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.561] Sleep (dwMilliseconds=0xa) [0102.577] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.578] GetLastError () returned 0x2 [0102.578] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.578] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.578] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.578] Sleep (dwMilliseconds=0xa) [0102.593] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.593] GetLastError () returned 0x2 [0102.593] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.593] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.593] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.594] Sleep (dwMilliseconds=0xa) [0102.609] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.609] GetLastError () returned 0x2 [0102.609] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.609] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.610] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.610] Sleep (dwMilliseconds=0xa) [0102.649] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.650] GetLastError () returned 0x2 [0102.650] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.650] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.650] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.650] Sleep (dwMilliseconds=0xa) [0102.670] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.671] GetLastError () returned 0x2 [0102.671] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.671] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.671] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.671] Sleep (dwMilliseconds=0xa) [0102.687] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.690] GetLastError () returned 0x2 [0102.690] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.690] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.690] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.690] Sleep (dwMilliseconds=0xa) [0102.701] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.702] GetLastError () returned 0x2 [0102.702] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.702] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.702] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.702] Sleep (dwMilliseconds=0xa) [0102.720] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.720] GetLastError () returned 0x2 [0102.720] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.721] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.721] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.721] Sleep (dwMilliseconds=0xa) [0102.733] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.733] GetLastError () returned 0x2 [0102.733] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.734] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.734] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.734] Sleep (dwMilliseconds=0xa) [0102.749] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.749] GetLastError () returned 0x2 [0102.749] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.749] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.749] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.749] Sleep (dwMilliseconds=0xa) [0102.764] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.764] GetLastError () returned 0x2 [0102.764] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.764] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.765] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.765] Sleep (dwMilliseconds=0xa) [0102.780] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.780] GetLastError () returned 0x2 [0102.780] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.780] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.780] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.780] Sleep (dwMilliseconds=0xa) [0102.796] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.796] GetLastError () returned 0x2 [0102.796] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.796] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.796] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.796] Sleep (dwMilliseconds=0xa) [0102.811] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.811] GetLastError () returned 0x2 [0102.811] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.811] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.811] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.811] Sleep (dwMilliseconds=0xa) [0102.826] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.827] GetLastError () returned 0x2 [0102.827] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.827] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.827] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.827] Sleep (dwMilliseconds=0xa) [0102.842] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.843] GetLastError () returned 0x2 [0102.843] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.843] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.843] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.843] Sleep (dwMilliseconds=0xa) [0102.858] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.858] GetLastError () returned 0x2 [0102.858] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.858] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.858] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.858] Sleep (dwMilliseconds=0xa) [0102.909] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0102.909] GetLastError () returned 0x2 [0102.909] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0102.909] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0102.909] RegCloseKey (hKey=0x2b0) returned 0x0 [0102.909] Sleep (dwMilliseconds=0xa) [0103.000] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0103.000] GetLastError () returned 0x2 [0103.000] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0103.001] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0103.001] RegCloseKey (hKey=0x2b0) returned 0x0 [0103.001] Sleep (dwMilliseconds=0xa) [0103.095] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0103.096] GetLastError () returned 0x2 [0103.096] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0103.096] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0103.096] RegCloseKey (hKey=0x2b0) returned 0x0 [0103.096] Sleep (dwMilliseconds=0xa) [0103.186] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0103.187] GetLastError () returned 0x2 [0103.187] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0103.187] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0103.187] RegCloseKey (hKey=0x2b0) returned 0x0 [0103.187] Sleep (dwMilliseconds=0xa) [0103.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0103.282] GetLastError () returned 0x2 [0103.282] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0103.282] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0103.282] RegCloseKey (hKey=0x2b0) returned 0x0 [0103.282] Sleep (dwMilliseconds=0xa) [0103.818] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0103.821] GetLastError () returned 0x2 [0103.822] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x454) returned 0x0 [0103.822] RegQueryValueExA (in: hKey=0x454, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0103.822] RegCloseKey (hKey=0x454) returned 0x0 [0103.822] Sleep (dwMilliseconds=0xa) [0104.009] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97b0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.009] GetLastError () returned 0x2 [0104.009] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.009] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.009] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.009] Sleep (dwMilliseconds=0xa) [0104.112] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.113] GetLastError () returned 0x2 [0104.113] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.113] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.113] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.113] Sleep (dwMilliseconds=0xa) [0104.198] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.198] GetLastError () returned 0x2 [0104.198] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.198] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.198] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.198] Sleep (dwMilliseconds=0xa) [0104.284] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.284] GetLastError () returned 0x2 [0104.285] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.285] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.285] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.285] Sleep (dwMilliseconds=0xa) [0104.403] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.404] GetLastError () returned 0x2 [0104.404] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.404] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.404] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.404] Sleep (dwMilliseconds=0xa) [0104.493] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.493] GetLastError () returned 0x2 [0104.493] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.493] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.493] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.493] Sleep (dwMilliseconds=0xa) [0104.610] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.610] GetLastError () returned 0x2 [0104.610] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.610] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.610] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.610] Sleep (dwMilliseconds=0xa) [0104.708] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.708] GetLastError () returned 0x2 [0104.709] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.709] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.709] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.709] Sleep (dwMilliseconds=0xa) [0104.861] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0104.861] GetLastError () returned 0x2 [0104.861] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0104.862] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0104.862] RegCloseKey (hKey=0x2b0) returned 0x0 [0104.862] Sleep (dwMilliseconds=0xa) [0105.099] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\11457D20.zeppelin", lpFindFileData=0x326fa64 | out: lpFindFileData=0x326fa64*(dwFileAttributes=0x326fab0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x326fbc0, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x18e97f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0x326fa70, dwReserved0=0xfc0608, dwReserved1=0x3260000, cFileName="", cAlternateFileName="ﳄ̦◐眨랇᭾￾￿ﲸ̦㔟眧\n")) returned 0xffffffff [0105.099] GetLastError () returned 0x2 [0105.099] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0x326fc3c | out: phkResult=0x326fc3c*=0x2b0) returned 0x0 [0105.099] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0x326fc40, lpData=0x0, lpcbData=0x326fc38*=0x326fcb0 | out: lpType=0x326fc40*=0x0, lpData=0x0, lpcbData=0x326fc38*=0x0) returned 0x2 [0105.099] RegCloseKey (hKey=0x2b0) returned 0x0 [0105.099] Sleep (dwMilliseconds=0xa) Thread: id = 31 os_tid = 0x1288 Thread: id = 32 os_tid = 0x129c Thread: id = 34 os_tid = 0x12ac Thread: id = 35 os_tid = 0x12a0 Thread: id = 36 os_tid = 0x12b8 Thread: id = 37 os_tid = 0xff0 Process: id = "5" image_name = "234561.exe" filename = "c:\\users\\fd1hvy\\desktop\\234561.exe" page_root = "0x12e21000" os_pid = "0x1170" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde4" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " cur_dir = "C:\\WINDOWS\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "6" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6ccdf000" os_pid = "0x1224" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde4" cmd_line = "C:\\WINDOWS\\SysWOW64\\WerFault.exe -u -p 3556 -s 1064" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 27 os_tid = 0x1238 Thread: id = 29 os_tid = 0x1260 Thread: id = 30 os_tid = 0x1274 Thread: id = 33 os_tid = 0x12a8 Thread: id = 42 os_tid = 0xb78 Process: id = "7" image_name = "explorer.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe" page_root = "0x174cd000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x112c" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 38 os_tid = 0x1130 [0101.314] GetModuleHandleA (lpModuleName=0x0) returned 0x12b0000 [0101.316] GetKeyboardType (nTypeFlag=0) returned 4 [0101.433] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.433] GetStartupInfoA (in: lpStartupInfo=0xcffc00 | out: lpStartupInfo=0xcffc00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0101.433] GetACP () returned 0x4e4 [0101.433] GetCurrentThreadId () returned 0x1130 [0101.433] GetModuleFileNameA (in: hModule=0x12b0000, lpFilename=0xcfeaf0, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0101.433] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcfe9cb, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0101.433] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfeae0 | out: phkResult=0xcfeae0*=0x0) returned 0x2 [0101.433] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfeae0 | out: phkResult=0xcfeae0*=0x0) returned 0x2 [0101.434] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf0019, phkResult=0xcfeae0 | out: phkResult=0xcfeae0*=0x0) returned 0x2 [0101.434] lstrcpynA (in: lpString1=0xcfe9cb, lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", iMaxLength=261 | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" [0101.434] GetThreadLocale () returned 0x409 [0101.434] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0xcfeadb, cchData=5 | out: lpLCData="ENU") returned 4 [0101.434] lstrlenA (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe") returned 62 [0101.434] lstrcpynA (in: lpString1=0xcfea06, lpString2="ENU", iMaxLength=202 | out: lpString1="ENU") returned="ENU" [0101.434] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.ENU", hFile=0x0, dwFlags=0x2) returned 0x0 [0101.435] lstrcpynA (in: lpString1=0xcfea06, lpString2="EN", iMaxLength=202 | out: lpString1="EN") returned="EN" [0101.435] LoadLibraryExA (lpLibFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.EN", hFile=0x0, dwFlags=0x2) returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffdf, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffde, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffdc, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffdd, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffd0, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffd8, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffef, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffec, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffd3, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffd2, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffe5, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffe6, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.435] LoadStringA (in: hInstance=0x12b0000, uID=0xffe7, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xffe4, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xffe2, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xffe0, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xffff, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfffe, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfffd, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfffc, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfffb, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfffa, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff9, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff8, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff7, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff6, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff5, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff4, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] LoadStringA (in: hInstance=0x12b0000, uID=0xfff3, lpBuffer=0xcfec20, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.436] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0101.437] LoadStringA (in: hInstance=0x12b0000, uID=0xfff1, lpBuffer=0xcfec0c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.437] LoadStringA (in: hInstance=0x12b0000, uID=0xffe1, lpBuffer=0xcfec0c, cchBufferMax=4096 | out: lpBuffer="") returned 0x0 [0101.437] GetVersionExA (in: lpVersionInformation=0xcffba4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xffffffff, dwMinorVersion=0xcffbc8, dwBuildNumber=0x0, dwPlatformId=0xcffbc4, szCSDVersion="") | out: lpVersionInformation=0xcffba4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0101.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0101.437] GetProcAddress (hModule=0x74030000, lpProcName="GetDiskFreeSpaceExA") returned 0x7409ee90 [0101.437] GetThreadLocale () returned 0x409 [0101.437] GetSystemMetrics (nIndex=42) returned 0 [0101.452] GetThreadLocale () returned 0x409 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Jan") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="January") returned 8 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Feb") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="February") returned 9 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Mar") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="March") returned 6 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Apr") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="April") returned 6 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="May") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="May") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Jun") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="June") returned 5 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Jul") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="July") returned 5 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Aug") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="August") returned 7 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Sep") returned 4 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="September") returned 10 [0101.452] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Oct") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="October") returned 8 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Nov") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="November") returned 9 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Dec") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="December") returned 9 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Sun") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Sunday") returned 7 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Mon") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Monday") returned 7 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Tue") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Tuesday") returned 8 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Wed") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Wednesday") returned 10 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Thu") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Thursday") returned 9 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Fri") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Friday") returned 7 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Sat") returned 4 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0xcffa7c, cchData=256 | out: lpLCData="Saturday") returned 9 [0101.453] GetThreadLocale () returned 0x409 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0xcffad8, cchData=256 | out: lpLCData="$") returned 2 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0xcffad8, cchData=256 | out: lpLCData="0") returned 2 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0xcffad8, cchData=256 | out: lpLCData="0") returned 2 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0xcffbd0, cchData=2 | out: lpLCData=",") returned 2 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0xcffbd0, cchData=2 | out: lpLCData=".") returned 2 [0101.453] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0xcffad8, cchData=256 | out: lpLCData="2") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0xcffbd0, cchData=2 | out: lpLCData="/") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0xcffad8, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0101.454] GetThreadLocale () returned 0x409 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xcffaa4, cchData=256 | out: lpLCData="1") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0xcffad8, cchData=256 | out: lpLCData="dddd, MMMM d, yyyy") returned 19 [0101.454] GetThreadLocale () returned 0x409 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0xcffaa4, cchData=256 | out: lpLCData="1") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0xcffbd0, cchData=2 | out: lpLCData=":") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0xcffad8, cchData=256 | out: lpLCData="AM") returned 3 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0xcffad8, cchData=256 | out: lpLCData="PM") returned 3 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0xcffad8, cchData=256 | out: lpLCData="0") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0xcffad8, cchData=256 | out: lpLCData="0") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0xcffad8, cchData=256 | out: lpLCData="0") returned 2 [0101.454] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0xcffbd0, cchData=2 | out: lpLCData=",") returned 2 [0101.455] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x73e80000 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VariantChangeTypeEx") returned 0x73e9a610 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarNeg") returned 0x73ee52c0 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarNot") returned 0x73ee6560 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarAdd") returned 0x73ebd610 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarSub") returned 0x73ebe3e0 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarMul") returned 0x73ebdb10 [0101.455] GetProcAddress (hModule=0x73e80000, lpProcName="VarDiv") returned 0x73ee5800 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarIdiv") returned 0x73ee61a0 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarMod") returned 0x73ee6400 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarAnd") returned 0x73eb3200 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarOr") returned 0x73ee6610 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarXor") returned 0x73ee67b0 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarCmp") returned 0x73ea60b0 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarI4FromStr") returned 0x73ea6ec0 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarR4FromStr") returned 0x73eb3010 [0101.456] GetProcAddress (hModule=0x73e80000, lpProcName="VarR8FromStr") returned 0x73eb3630 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarDateFromStr") returned 0x73ea8b90 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarCyFromStr") returned 0x73e92d90 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarBoolFromStr") returned 0x73ea48f0 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromCy") returned 0x73ea7f50 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromDate") returned 0x73ea89c0 [0101.457] GetProcAddress (hModule=0x73e80000, lpProcName="VarBstrFromBool") returned 0x73ea48a0 [0101.457] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="") returned 0x1f4 [0101.458] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x1f8 [0101.458] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1fc [0101.458] QueryPerformanceCounter (in: lpPerformanceCount=0xcffc2c | out: lpPerformanceCount=0xcffc2c*=25948947982) returned 1 [0101.459] GetTickCount () returned 0x1169dfd [0101.460] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.464] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.470] GetFileAttributesW (lpFileName="-start" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\-start")) returned 0xffffffff [0101.470] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.473] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.477] FindFirstFileW (in: lpFileName="-start", lpFindFileData=0xcff94c | out: lpFindFileData=0xcff94c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x8ed53b6, ftCreationTime.dwHighDateTime=0xcffc78, ftLastAccessTime.dwLowDateTime=0x51b6c, ftLastAccessTime.dwHighDateTime=0x51b6c, ftLastWriteTime.dwLowDateTime=0x5, ftLastWriteTime.dwHighDateTime=0x9000, nFileSizeHigh=0x5ae9c, nFileSizeLow=0x12bfa5e, dwReserved0=0x51b6e, dwReserved1=0xcffc6c, cFileName="᭤\x05ﱸÏ᭢\x05", cAlternateFileName="\x01")) returned 0xffffffff [0101.477] GetLastError () returned 0x2 [0101.477] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0101.477] GetUserDefaultLangID () returned 0x409 [0101.477] GetLocaleInfoA (in: Locale=0x800, LCType=0x5, lpLCData=0xcffb88, cchData=19 | out: lpLCData="1") returned 2 [0101.478] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcffa34, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0101.478] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2dcd38, cbMultiByte=17, lpWideCharStr=0xcfeb38, cchWideChar=2047 | out: lpWideCharStr="7549B699.zeppelin") returned 17 [0101.478] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359780, cbMultiByte=4, lpWideCharStr=0xcfe8ec, cchWideChar=2047 | out: lpWideCharStr="TEMPɠ\x05\x12") returned 4 [0101.478] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xcff912, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0101.478] SysReAllocStringLen (in: pbstr=0xcffb5c*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xcffb5c*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0101.478] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\7549b699.zeppelin"), dwDesiredAccess=0x40000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0102.174] WriteFile (in: hFile=0x200, lpBuffer=0x351b38*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0xcffb60, lpOverlapped=0x0 | out: lpBuffer=0x351b38*, lpNumberOfBytesWritten=0xcffb60*=0x1, lpOverlapped=0x0) returned 1 [0102.176] CloseHandle (hObject=0x200) returned 1 [0102.176] Sleep (dwMilliseconds=0x29a) [0102.858] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xcff918 | out: lpFindFileData=0xcff918*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb459d8fc, ftCreationTime.dwHighDateTime=0x1d5cfcc, ftLastAccessTime.dwLowDateTime=0xb459d8fc, ftLastAccessTime.dwHighDateTime=0x1d5cfcc, ftLastWriteTime.dwLowDateTime=0xb459d8fc, ftLastWriteTime.dwHighDateTime=0x1d5cfcc, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="7549B699.zeppelin", cAlternateFileName="7549B6~1.ZEP")) returned 0x69a38 [0102.859] FileTimeToLocalFileTime (in: lpFileTime=0xcff92c, lpLocalFileTime=0xcff8c4 | out: lpLocalFileTime=0xcff8c4) returned 1 [0102.859] FileTimeToDosDateTime (in: lpFileTime=0xcff8c4, lpFatDate=0xcff8fa, lpFatTime=0xcff8f8 | out: lpFatDate=0xcff8fa, lpFatTime=0xcff8f8) returned 1 [0102.859] FindClose (in: hFindFile=0x69a38 | out: hFindFile=0x69a38) returned 1 [0102.859] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\7549b699.zeppelin")) returned 1 [0102.860] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xcffa38, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0102.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x2dcd38, cbMultiByte=17, lpWideCharStr=0xcfeb3c, cchWideChar=2047 | out: lpWideCharStr="7549B699.zeppelin") returned 17 [0102.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359750, cbMultiByte=4, lpWideCharStr=0xcfe8f0, cchWideChar=2047 | out: lpWideCharStr="TEMP\x12") returned 4 [0102.861] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xcff916, nSize=0x20a | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 0x22 [0102.861] SysReAllocStringLen (in: pbstr=0xcffb60*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp", len=0x22 | out: pbstr=0xcffb60*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp") returned 1 [0102.861] SysReAllocStringLen (in: pbstr=0x33c0a8*=0x0, psz="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", len=0x34 | out: pbstr=0x33c0a8*="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin") returned 1 [0102.861] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12b4694, lpParameter=0x351b30, dwCreationFlags=0x4, lpThreadId=0x33c070 | out: lpThreadId=0x33c070*=0xfd4) returned 0x200 [0102.862] ResumeThread (hThread=0x200) returned 0x1 [0102.862] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0102.862] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start" [0102.862] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exe", cchCount1=11, lpString2="agntsvc.exeagntsvc.exe", cchCount2=22) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exe", cchCount1=11, lpString2="agntsvc.exeencsvc.exe", cchCount2=21) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="agntsvc.exeencsvc.exe", cchCount2=21) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="agntsvc.exeisqlplussvc.exe", cchCount2=26) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="agntsvc.exeisqlplussvc.exe", cchCount2=26) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeagntsvc.exe", cchCount1=22, lpString2="anvir.exe", cchCount2=9) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="anvir.exe", cchCount2=9) returned 1 [0102.864] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="anvir.exe", cchCount2=9) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="anvir64.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="anvir64.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="anvir64.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeencsvc.exe", cchCount1=21, lpString2="apache.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="apache.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="apache.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="backup.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="backup.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="backup.exe", cchCount2=10) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="agntsvc.exeisqlplussvc.exe", cchCount1=26, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="ccleaner.exe", cchCount2=12) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="ccleaner64.exe", cchCount2=14) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir.exe", cchCount1=9, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0102.865] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="dbeng50.exe", cchCount2=11) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="dbsnmp.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="anvir64.exe", cchCount1=11, lpString2="encsvc.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="encsvc.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="encsvc.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="encsvc.exe", cchCount2=10) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="far.exe", cchCount2=7) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="far.exe", cchCount2=7) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="apache.exe", cchCount1=10, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="firefoxconfig.exe", cchCount2=17) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="infopath.exe", cchCount2=12) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="infopath.exe", cchCount2=12) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="infopath.exe", cchCount2=12) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="infopath.exe", cchCount2=12) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="backup.exe", cchCount1=10, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0102.866] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="isqlplussvc.exe", cchCount2=15) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="kingdee.exe", cchCount2=11) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="kingdee.exe", cchCount2=11) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="kingdee.exe", cchCount2=11) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="kingdee.exe", cchCount2=11) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="kingdee.exe", cchCount2=11) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner.exe", cchCount1=12, lpString2="msaccess.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="msaccess.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="msaccess.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="msaccess.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="msaccess.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="msftesql.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="msftesql.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="msftesql.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="msftesql.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="msftesql.exe", cchCount2=12) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ccleaner64.exe", cchCount1=14, lpString2="mspub.exe", cchCount2=9) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="mspub.exe", cchCount2=9) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mspub.exe", cchCount2=9) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mspub.exe", cchCount2=9) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mspub.exe", cchCount2=9) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mydesktopqos.exe", cchCount2=16) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbeng50.exe", cchCount1=11, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0102.867] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mydesktopservice.exe", cchCount2=20) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld-nt.exe", cchCount2=13) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="dbsnmp.exe", cchCount1=10, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="mysqld-opt.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="mysqld.exe", cchCount2=10) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="mysqld.exe", cchCount2=10) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="mysqld.exe", cchCount2=10) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="mysqld.exe", cchCount2=10) returned 3 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="mysqld.exe", cchCount2=10) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="encsvc.exe", cchCount1=10, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ncsvc.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="ocautoupds.exe", cchCount2=14) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="far.exe", cchCount1=7, lpString2="ocomm.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="ocomm.exe", cchCount2=9) returned 1 [0102.868] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="ocomm.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="ocomm.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="ocomm.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="ocssd.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="ocssd.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="ocssd.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="ocssd.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="ocssd.exe", cchCount2=9) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="firefoxconfig.exe", cchCount1=17, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="oracle.exe", cchCount2=10) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="oracle.exe", cchCount2=10) returned 2 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="procexp.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="procexp.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="procexp.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="procexp.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="procexp.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="infopath.exe", cchCount1=12, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="regedit.exe", cchCount2=11) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.869] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqbcoreservice.exe", cchCount2=18) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="isqlplussvc.exe", cchCount1=15, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-opt.exe", cchCount1=14, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sql.exe", cchCount2=7) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlagent.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="kingdee.exe", cchCount1=11, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ncsvc.exe", cchCount1=9, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlbrowser.exe", cchCount2=14) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocautoupds.exe", cchCount1=14, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlserver.exe", cchCount2=13) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msaccess.exe", cchCount1=12, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocomm.exe", cchCount1=9, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.870] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="sqlservr.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="sqlwriter.exe", cchCount2=13) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="msftesql.exe", cchCount1=12, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ocssd.exe", cchCount1=9, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="synctime.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="oracle.exe", cchCount1=10, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="taskkill.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mspub.exe", cchCount1=9, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="procexp.exe", cchCount1=11, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="tasklist.exe", cchCount2=12) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.871] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="taskmgr.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopqos.exe", cchCount1=16, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="regedit.exe", cchCount1=11, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlservr.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tbirdconfig.exe", cchCount2=15) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqbcoreservice.exe", cchCount1=18, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlwriter.exe", cchCount1=13, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="tomcat.exe", cchCount2=10) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mydesktopservice.exe", cchCount1=20, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sql.exe", cchCount1=7, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="synctime.exe", cchCount1=12, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="tomcat6.exe", cchCount2=11) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="u8.exe", cchCount2=6) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld.exe", cchCount1=10, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlagent.exe", cchCount1=12, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.872] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskkill.exe", cchCount1=12, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tbirdconfig.exe", cchCount1=15, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="u8.exe", cchCount1=6, lpString2="ufida.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlbrowser.exe", cchCount1=14, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tasklist.exe", cchCount1=12, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat.exe", cchCount1=10, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="u8.exe", cchCount1=6, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ufida.exe", cchCount1=9, lpString2="visio.exe", cchCount2=9) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="mysqld-nt.exe", cchCount1=13, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="sqlserver.exe", cchCount1=13, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="taskmgr.exe", cchCount1=11, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="tomcat6.exe", cchCount1=11, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="ufida.exe", cchCount1=9, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CompareStringA (Locale=0x400, dwCmpFlags=0x1, lpString1="visio.exe", cchCount1=9, lpString2="xfssvccon.exe", cchCount2=13) returned 1 [0102.873] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x12b4694, lpParameter=0x351b60, dwCreationFlags=0x4, lpThreadId=0x33c0b8 | out: lpThreadId=0x33c0b8*=0xfdc) returned 0x208 [0102.874] ResumeThread (hThread=0x208) returned 0x1 [0102.877] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", ulOptions=0x0, samDesired=0x20019, phkResult=0xcffa9c | out: phkResult=0xcffa9c*=0x0) returned 0x2 [0102.877] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", ulOptions=0x0, samDesired=0x20019, phkResult=0xcffa9c | out: phkResult=0xcffa9c*=0x0) returned 0x2 [0102.877] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0102.878] PeekMessageA (in: lpMsg=0xcffa7c, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0xcffa7c) returned 0 [0126.074] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0xcffaa0, lpdwDisposition=0xcffaa4 | out: phkResult=0xcffaa0*=0x218, lpdwDisposition=0xcffaa4*=0x1) returned 0x0 [0126.400] RegSetValueExA (in: hKey=0x218, lpValueName="Public Key", Reserved=0x0, dwType=0x1, lpData="4A5x9bn/a9Fz+rnbahc3//eLPrPQCH7ziSPTvfbzp2YAUfKSJZNA9N3PQN9Cb0PwHt6rPbP6lFXe9wicZRWV791e/dOtykpOvETaWIVjQVfwkjyhl6zF9JSGvW9CRo+M94F/buBbkVJB3oG6Td/E3zX6HnZ1yo2z4O2QM/8uz8YaEtHSkdVxFpwusEjNLinstBBH5ykYGy6N7tRuaTDTrGWl/C4U1G3F1ybMi/hfPNU54rJHNbng2ZeUL+Ted9OlLHSChrbDkGEVQUmOoqA8XMkQYtY6wSaYvPuazppE6I9dIBuAYZ/MzyO9VcfYSAaAf2bUgQprsi/AnW8DDh0FCUCypGR3FcvZasaqZmdRuFqaBUGFzPRF6vn77Px4sIGMukaX+7MIlVSZqqCE4ivm8w==", cbData=0x199 | out: lpData="4A5x9bn/a9Fz+rnbahc3//eLPrPQCH7ziSPTvfbzp2YAUfKSJZNA9N3PQN9Cb0PwHt6rPbP6lFXe9wicZRWV791e/dOtykpOvETaWIVjQVfwkjyhl6zF9JSGvW9CRo+M94F/buBbkVJB3oG6Td/E3zX6HnZ1yo2z4O2QM/8uz8YaEtHSkdVxFpwusEjNLinstBBH5ykYGy6N7tRuaTDTrGWl/C4U1G3F1ybMi/hfPNU54rJHNbng2ZeUL+Ted9OlLHSChrbDkGEVQUmOoqA8XMkQYtY6wSaYvPuazppE6I9dIBuAYZ/MzyO9VcfYSAaAf2bUgQprsi/AnW8DDh0FCUCypGR3FcvZasaqZmdRuFqaBUGFzPRF6vn77Px4sIGMukaX+7MIlVSZqqCE4ivm8w==") returned 0x0 [0126.400] RegCloseKey (hKey=0x218) returned 0x0 [0126.400] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin\\Keys", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0xcffaa0, lpdwDisposition=0xcffaa4 | out: phkResult=0xcffaa0*=0x218, lpdwDisposition=0xcffaa4*=0x2) returned 0x0 [0126.400] RegSetValueExA (in: hKey=0x218, lpValueName="Encrypted Private Key", Reserved=0x0, dwType=0x1, lpData="wsuOBHOMP1tQCqau2q1qQPL1I73Sp8jiWBJt+CFiWpVAxyQzWE0cGFb8DbAPS1mzABxwhaIfMHEENtVGCZrcGtTnspndEScJTVMtAoEi4xQvpZnsWYjLMI3Qf+/ZheWhvETB35jpXb645m2nxE5E7d+Syzvn0GAQaNqdrFKmX4SDxQl7GVux61OIHrOmdjGc9sLraRIjiaZGl5AXKJKD44jitJnuyab+3Z4ATpnCU/uFzCU0LO2B40kcQefK/NfmoEdpkxnrFN3Jc8tG+ED0gH1AWoVZrNhoypYKkKwd+rBodNzR9eXU7oIuCwa04Vc3Zaipgvif7AyYnZyToMeKd6CoSmtOMZzS7fqbMvsCZn+ko+YunuxpzC0K9vBXM8T6ZRF1sBsQC4IKu3e3sXHoTtDxMuIOmwQvhrn76qN+93V35k1f6oCipSGVi6xHgjE/Z1Z5CQ3Eb1gvGCt2F5T2RI0zExooD2/c5ZHPBv7GfeMk3kli0GjAbjJ0bjLU4HuuMMNxVgdC5ktBXaklmDp6NN5DXnPemWqilfzfryBAv6/Tb6rzbbhPodr6eLpIu2cSf0LA0rmu3AyOiHW55rFuA/wUdm3ExwTeVUYLFghfFysmGpleUzFdUZjzGhT0y254houLjiBMHcDhqqXbPSnwtsMJWYGu/X5yOscur9u6OeR8lGKs+tVwJJYeJlz1aihRM42wMR/RieGEIqdG+48KpWvbkvTgAYJ5r+49fPJB6elhplhr5dbP8LvGfrV8qak5CzuusiZfGsuAfVHdjk1z9K5R260937hR54T8jl+POFyVSjK+rlh32SSNjozClq4Iwn5i3/TGERPhN1zMqmiZx+YcX9FnF0ew4BxFKtH2gUAgMFj7IclwstJEXWcDeysuj7iybfVpooTH/SIEqv1zlo1Bez2Smk7FLtBRbGSZ37W8+r19sIux+C+rjpXBmM9NwQTMK0XZ/0ryOTSusrU5Kx8WmwRAVJ1zlclFjYXxKdwRcYoqdAiKMpicQeh4pFmFZJM/Xkk85HRN96/wXKm5SAdF5eYNpKQ9DgU1Q29+YBGAJQaNSi9pmDlIPiFmvHqu3P+v1ZQPr8RI+EOFPwdTeDpsCXvOUUy3ynYlfd4hR5c+MB3QlL+Atee7uQOFTyLDsi79Qkd2IP0XbiPabAzHpdsg0A0RVQje1RVmx495emCupiu/vvjolk5TS0Lj23gB1LfP2uKyVnbPIWB4HsGe5ynZ0teyV3pgpXH7QX0bbthlwFReraDvjeZwoK7ny4UXpXL/78PChWacJBU/oWyuouCa5pHYfGcSo/awVkXB8xi3erS+4SuADr1vlXBI6GAhSEubiLhU2QlZ04IGVJFh0cCN2vcUGJ57fC/oBA6gZyQtVDt/Xiwv8fI9h5urZiAKFd/eLHHE2p+uXvmIjKEAoBLb87Xmro9bFDbCQ9JBv/mfAjHb3mV1n6IweALoV8yhiGrD15usZT+PY6NgBz1Tpt2CJRUs8SKI89YFS6I2GfjarVSfR6R5c8qDaz2WriIafWkIs2HHlUs9ObSClJiDwYZfb5GT7RSwy1Gagv+c5PhzFOqjO33oaGVIFT6z4MumTyZmTz4d2wSJiybkRahsMaNShYEQ5MExhZwBbQQUUG6moR+llqgfIQ94Usr8mNkxeDYfSVvJhpxGo39ABgcrfMd50aIrC4w+tQu5Ld+fZvK1ev6Rt1DxM5HCNboEmmCM6sXMrg==", cbData=0x6c9 | out: lpData="wsuOBHOMP1tQCqau2q1qQPL1I73Sp8jiWBJt+CFiWpVAxyQzWE0cGFb8DbAPS1mzABxwhaIfMHEENtVGCZrcGtTnspndEScJTVMtAoEi4xQvpZnsWYjLMI3Qf+/ZheWhvETB35jpXb645m2nxE5E7d+Syzvn0GAQaNqdrFKmX4SDxQl7GVux61OIHrOmdjGc9sLraRIjiaZGl5AXKJKD44jitJnuyab+3Z4ATpnCU/uFzCU0LO2B40kcQefK/NfmoEdpkxnrFN3Jc8tG+ED0gH1AWoVZrNhoypYKkKwd+rBodNzR9eXU7oIuCwa04Vc3Zaipgvif7AyYnZyToMeKd6CoSmtOMZzS7fqbMvsCZn+ko+YunuxpzC0K9vBXM8T6ZRF1sBsQC4IKu3e3sXHoTtDxMuIOmwQvhrn76qN+93V35k1f6oCipSGVi6xHgjE/Z1Z5CQ3Eb1gvGCt2F5T2RI0zExooD2/c5ZHPBv7GfeMk3kli0GjAbjJ0bjLU4HuuMMNxVgdC5ktBXaklmDp6NN5DXnPemWqilfzfryBAv6/Tb6rzbbhPodr6eLpIu2cSf0LA0rmu3AyOiHW55rFuA/wUdm3ExwTeVUYLFghfFysmGpleUzFdUZjzGhT0y254houLjiBMHcDhqqXbPSnwtsMJWYGu/X5yOscur9u6OeR8lGKs+tVwJJYeJlz1aihRM42wMR/RieGEIqdG+48KpWvbkvTgAYJ5r+49fPJB6elhplhr5dbP8LvGfrV8qak5CzuusiZfGsuAfVHdjk1z9K5R260937hR54T8jl+POFyVSjK+rlh32SSNjozClq4Iwn5i3/TGERPhN1zMqmiZx+YcX9FnF0ew4BxFKtH2gUAgMFj7IclwstJEXWcDeysuj7iybfVpooTH/SIEqv1zlo1Bez2Smk7FLtBRbGSZ37W8+r19sIux+C+rjpXBmM9NwQTMK0XZ/0ryOTSusrU5Kx8WmwRAVJ1zlclFjYXxKdwRcYoqdAiKMpicQeh4pFmFZJM/Xkk85HRN96/wXKm5SAdF5eYNpKQ9DgU1Q29+YBGAJQaNSi9pmDlIPiFmvHqu3P+v1ZQPr8RI+EOFPwdTeDpsCXvOUUy3ynYlfd4hR5c+MB3QlL+Atee7uQOFTyLDsi79Qkd2IP0XbiPabAzHpdsg0A0RVQje1RVmx495emCupiu/vvjolk5TS0Lj23gB1LfP2uKyVnbPIWB4HsGe5ynZ0teyV3pgpXH7QX0bbthlwFReraDvjeZwoK7ny4UXpXL/78PChWacJBU/oWyuouCa5pHYfGcSo/awVkXB8xi3erS+4SuADr1vlXBI6GAhSEubiLhU2QlZ04IGVJFh0cCN2vcUGJ57fC/oBA6gZyQtVDt/Xiwv8fI9h5urZiAKFd/eLHHE2p+uXvmIjKEAoBLb87Xmro9bFDbCQ9JBv/mfAjHb3mV1n6IweALoV8yhiGrD15usZT+PY6NgBz1Tpt2CJRUs8SKI89YFS6I2GfjarVSfR6R5c8qDaz2WriIafWkIs2HHlUs9ObSClJiDwYZfb5GT7RSwy1Gagv+c5PhzFOqjO33oaGVIFT6z4MumTyZmTz4d2wSJiybkRahsMaNShYEQ5MExhZwBbQQUUG6moR+llqgfIQ94Usr8mNkxeDYfSVvJhpxGo39ABgcrfMd50aIrC4w+tQu5Ld+fZvK1ev6Rt1DxM5HCNboEmmCM6sXMrg==") returned 0x0 [0126.401] RegCloseKey (hKey=0x218) returned 0x0 [0126.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359a80, cbMultiByte=9, lpWideCharStr=0xcfeb50, cchWideChar=2047 | out: lpWideCharStr="") returned 9 [0126.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x27ffb8, cbMultiByte=935, lpWideCharStr=0xcfeb4c, cchWideChar=2047 | out: lpWideCharStr="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n") returned 935 [0126.402] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359ab0, cbMultiByte=11, lpWideCharStr=0xcfeb48, cchWideChar=2047 | out: lpWideCharStr="A7B-089-17COUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n") returned 11 [0126.402] SysReAllocStringLen (in: pbstr=0xcffb48*=0x0, psz="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", len=0x3a7 | out: pbstr=0xcffb48*="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n") returned 1 [0126.403] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", cchWideChar=935, lpMultiByteStr=0xcfeb14, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", lpUsedDefaultChar=0x0) returned 935 [0126.403] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="", cchWideChar=9, lpMultiByteStr=0xcfeb10, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", lpUsedDefaultChar=0x0) returned 9 [0126.403] SysReAllocStringLen (in: pbstr=0xcffb9c*=0x0, psz="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", len=0x3a7 | out: pbstr=0xcffb9c*="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n") returned 1 [0126.403] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", cchWideChar=935, lpMultiByteStr=0xcfeb54, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="!!! ALL YOUR FILES ARE ENCRYPTED !!!\r\n\r\nAll your files, documents, photos, databases and other important files are encrypted.\r\n\r\nYou are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\n\r\nTo be sure we have the decryptor and it works you can send an email: puljaipopre1981@protonmail.com\r\nand decrypt one file for free.\r\nBut this file should be of not valuable!\r\n\r\nDo you really want to restore your files?\r\nWrite to email: puljaipopre1981@protonmail.com\r\nReserved email: viomukinam1978@protonmail.com\r\n\r\n\r\n\r\nAttention!\r\n * Do not rename encrypted files.\r\n * Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.\r\n", lpUsedDefaultChar=0x0) returned 935 [0126.403] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0xcffb78 | out: lphEnum=0xcffb78*=0x6a078) returned 0x0 [0128.449] WNetEnumResourceW (in: hEnum=0x6a078, lpcCount=0xcffb68, lpBuffer=0x7bfe8, lpBufferSize=0xcffb6c | out: lpcCount=0xcffb68, lpBuffer=0x7bfe8, lpBufferSize=0xcffb6c) returned 0x0 [0128.450] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x351b78, cbMultiByte=2, lpWideCharStr=0xcfeb0c, cchWideChar=2047 | out: lpWideCharStr="\\\\\x18") returned 2 [0128.450] WNetOpenEnumW (in: dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x7bfe8, lphEnum=0xcffb20 | out: lphEnum=0xcffb20*=0x657d0) returned 0x0 [0128.457] WNetEnumResourceW (in: hEnum=0x657d0, lpcCount=0xcffb10, lpBuffer=0x827b0, lpBufferSize=0xcffb14 | out: lpcCount=0xcffb10, lpBuffer=0x827b0, lpBufferSize=0xcffb14) returned 0x103 [0128.458] WNetCloseEnum (hEnum=0x657d0) returned 0x0 [0128.458] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x351b88, cbMultiByte=2, lpWideCharStr=0xcfeb0c, cchWideChar=2047 | out: lpWideCharStr="\\\\\x18") returned 2 [0128.458] WNetOpenEnumW (dwScope=0x2, dwType=0x0, dwUsage=0x0, lpNetResource=0x7c008, lphEnum=0xcffb20) Thread: id = 39 os_tid = 0x4b0 Thread: id = 40 os_tid = 0xfd4 [0102.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x77390000, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xf7f828, nFileSizeHigh=0xb31000, nFileSizeLow=0xb28000, dwReserved0=0x0, dwReserved1=0xf7f7b4, cFileName="", cAlternateFileName="")) returned 0xffffffff [0102.908] GetLastError () returned 0x2 [0102.908] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0102.908] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0102.908] RegCloseKey (hKey=0x20c) returned 0x0 [0102.908] Sleep (dwMilliseconds=0xa) [0103.001] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359528, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0103.002] GetLastError () returned 0x2 [0103.002] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0103.003] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0103.003] RegCloseKey (hKey=0x210) returned 0x0 [0103.003] Sleep (dwMilliseconds=0xa) [0103.094] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3594f8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0103.094] GetLastError () returned 0x2 [0103.094] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0103.095] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0103.095] RegCloseKey (hKey=0x210) returned 0x0 [0103.095] Sleep (dwMilliseconds=0xa) [0103.187] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0103.187] GetLastError () returned 0x2 [0103.187] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0103.188] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0103.188] RegCloseKey (hKey=0x210) returned 0x0 [0103.188] Sleep (dwMilliseconds=0xa) [0103.280] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3594c8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0103.280] GetLastError () returned 0x2 [0103.280] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0103.281] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0103.281] RegCloseKey (hKey=0x210) returned 0x0 [0103.281] Sleep (dwMilliseconds=0xa) [0103.822] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0103.823] GetLastError () returned 0x2 [0103.823] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0103.823] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0103.831] RegCloseKey (hKey=0x214) returned 0x0 [0103.831] Sleep (dwMilliseconds=0xa) [0104.007] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.008] GetLastError () returned 0x2 [0104.008] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.008] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.008] RegCloseKey (hKey=0x210) returned 0x0 [0104.008] Sleep (dwMilliseconds=0xa) [0104.113] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359438, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.113] GetLastError () returned 0x2 [0104.113] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0104.114] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.114] RegCloseKey (hKey=0x20c) returned 0x0 [0104.114] Sleep (dwMilliseconds=0xa) [0104.195] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359588, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.196] GetLastError () returned 0x2 [0104.196] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.197] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.197] RegCloseKey (hKey=0x210) returned 0x0 [0104.197] Sleep (dwMilliseconds=0xa) [0104.285] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.285] GetLastError () returned 0x2 [0104.285] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.286] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.286] RegCloseKey (hKey=0x210) returned 0x0 [0104.286] Sleep (dwMilliseconds=0xa) [0104.401] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.402] GetLastError () returned 0x2 [0104.402] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.403] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.403] RegCloseKey (hKey=0x210) returned 0x0 [0104.403] Sleep (dwMilliseconds=0xa) [0104.494] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.494] GetLastError () returned 0x2 [0104.494] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.495] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.495] RegCloseKey (hKey=0x210) returned 0x0 [0104.495] Sleep (dwMilliseconds=0xa) [0104.608] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.608] GetLastError () returned 0x2 [0104.608] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0104.609] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.609] RegCloseKey (hKey=0x214) returned 0x0 [0104.609] Sleep (dwMilliseconds=0xa) [0104.709] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.709] GetLastError () returned 0x2 [0104.709] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.710] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.710] RegCloseKey (hKey=0x210) returned 0x0 [0104.710] Sleep (dwMilliseconds=0xa) [0104.862] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0104.862] GetLastError () returned 0x2 [0104.862] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0104.863] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0104.863] RegCloseKey (hKey=0x210) returned 0x0 [0104.863] Sleep (dwMilliseconds=0xa) [0105.098] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0105.098] GetLastError () returned 0x2 [0105.098] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0105.099] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0105.099] RegCloseKey (hKey=0x210) returned 0x0 [0105.099] Sleep (dwMilliseconds=0xa) [0105.356] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0105.356] GetLastError () returned 0x2 [0105.356] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0105.357] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0105.357] RegCloseKey (hKey=0x20c) returned 0x0 [0105.373] Sleep (dwMilliseconds=0xa) [0105.690] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0105.691] GetLastError () returned 0x2 [0105.691] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0105.694] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0105.694] RegCloseKey (hKey=0x210) returned 0x0 [0105.694] Sleep (dwMilliseconds=0xa) [0105.865] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0105.866] GetLastError () returned 0x2 [0105.866] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0105.867] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0105.867] RegCloseKey (hKey=0x210) returned 0x0 [0105.867] Sleep (dwMilliseconds=0xa) [0106.051] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.052] GetLastError () returned 0x2 [0106.052] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0106.053] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.053] RegCloseKey (hKey=0x210) returned 0x0 [0106.053] Sleep (dwMilliseconds=0xa) [0106.217] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.217] GetLastError () returned 0x2 [0106.217] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0106.218] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.218] RegCloseKey (hKey=0x214) returned 0x0 [0106.218] Sleep (dwMilliseconds=0xa) [0106.410] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.410] GetLastError () returned 0x2 [0106.411] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0106.412] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.412] RegCloseKey (hKey=0x210) returned 0x0 [0106.412] Sleep (dwMilliseconds=0xa) [0106.563] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.563] GetLastError () returned 0x2 [0106.564] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0106.564] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.564] RegCloseKey (hKey=0x210) returned 0x0 [0106.564] Sleep (dwMilliseconds=0xa) [0106.671] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.672] GetLastError () returned 0x2 [0106.672] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0106.672] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.672] RegCloseKey (hKey=0x210) returned 0x0 [0106.672] Sleep (dwMilliseconds=0xa) [0106.810] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.811] GetLastError () returned 0x2 [0106.811] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0106.812] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.812] RegCloseKey (hKey=0x20c) returned 0x0 [0106.812] Sleep (dwMilliseconds=0xa) [0106.912] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0106.912] GetLastError () returned 0x2 [0106.912] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0106.914] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0106.914] RegCloseKey (hKey=0x210) returned 0x0 [0106.914] Sleep (dwMilliseconds=0xa) [0107.100] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.110] GetLastError () returned 0x2 [0107.110] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0107.143] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.143] RegCloseKey (hKey=0x210) returned 0x0 [0107.143] Sleep (dwMilliseconds=0xa) [0107.279] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.281] GetLastError () returned 0x2 [0107.282] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0107.295] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.295] RegCloseKey (hKey=0x214) returned 0x0 [0107.295] Sleep (dwMilliseconds=0xa) [0107.493] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.501] GetLastError () returned 0x2 [0107.501] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0107.505] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.505] RegCloseKey (hKey=0x210) returned 0x0 [0107.505] Sleep (dwMilliseconds=0xa) [0107.629] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.629] GetLastError () returned 0x2 [0107.629] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0107.630] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.630] RegCloseKey (hKey=0x210) returned 0x0 [0107.630] Sleep (dwMilliseconds=0xa) [0107.737] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.737] GetLastError () returned 0x2 [0107.737] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0107.737] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.737] RegCloseKey (hKey=0x210) returned 0x0 [0107.737] Sleep (dwMilliseconds=0xa) [0107.810] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.810] GetLastError () returned 0x2 [0107.810] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0107.811] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.811] RegCloseKey (hKey=0x20c) returned 0x0 [0107.811] Sleep (dwMilliseconds=0xa) [0107.892] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0107.893] GetLastError () returned 0x2 [0107.894] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0107.900] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0107.900] RegCloseKey (hKey=0x210) returned 0x0 [0107.900] Sleep (dwMilliseconds=0xa) [0108.048] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359528, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.048] GetLastError () returned 0x2 [0108.048] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0108.049] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.049] RegCloseKey (hKey=0x214) returned 0x0 [0108.049] Sleep (dwMilliseconds=0xa) [0108.179] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.179] GetLastError () returned 0x2 [0108.179] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.180] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.180] RegCloseKey (hKey=0x210) returned 0x0 [0108.180] Sleep (dwMilliseconds=0xa) [0108.255] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x34aa28, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.255] GetLastError () returned 0x2 [0108.256] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.256] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.256] RegCloseKey (hKey=0x210) returned 0x0 [0108.256] Sleep (dwMilliseconds=0xa) [0108.377] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.377] GetLastError () returned 0x2 [0108.377] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.378] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.378] RegCloseKey (hKey=0x210) returned 0x0 [0108.378] Sleep (dwMilliseconds=0xa) [0108.514] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.514] GetLastError () returned 0x2 [0108.514] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.515] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.515] RegCloseKey (hKey=0x210) returned 0x0 [0108.515] Sleep (dwMilliseconds=0xa) [0108.625] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.625] GetLastError () returned 0x2 [0108.625] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.626] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.626] RegCloseKey (hKey=0x210) returned 0x0 [0108.626] Sleep (dwMilliseconds=0xa) [0108.791] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.791] GetLastError () returned 0x2 [0108.792] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.792] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.792] RegCloseKey (hKey=0x210) returned 0x0 [0108.792] Sleep (dwMilliseconds=0xa) [0108.935] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0108.936] GetLastError () returned 0x2 [0108.937] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0108.938] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0108.938] RegCloseKey (hKey=0x210) returned 0x0 [0108.938] Sleep (dwMilliseconds=0xa) [0109.067] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.067] GetLastError () returned 0x2 [0109.067] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.068] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.068] RegCloseKey (hKey=0x210) returned 0x0 [0109.068] Sleep (dwMilliseconds=0xa) [0109.167] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.168] GetLastError () returned 0x2 [0109.168] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0109.168] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.168] RegCloseKey (hKey=0x20c) returned 0x0 [0109.169] Sleep (dwMilliseconds=0xa) [0109.267] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.267] GetLastError () returned 0x2 [0109.267] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.269] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.269] RegCloseKey (hKey=0x210) returned 0x0 [0109.269] Sleep (dwMilliseconds=0xa) [0109.442] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.442] GetLastError () returned 0x2 [0109.442] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.443] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.443] RegCloseKey (hKey=0x210) returned 0x0 [0109.443] Sleep (dwMilliseconds=0xa) [0109.606] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.607] GetLastError () returned 0x2 [0109.607] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.608] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.608] RegCloseKey (hKey=0x210) returned 0x0 [0109.608] Sleep (dwMilliseconds=0xa) [0109.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.773] GetLastError () returned 0x2 [0109.773] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.774] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.774] RegCloseKey (hKey=0x210) returned 0x0 [0109.774] Sleep (dwMilliseconds=0xa) [0109.955] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0109.956] GetLastError () returned 0x2 [0109.956] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0109.956] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0109.956] RegCloseKey (hKey=0x210) returned 0x0 [0109.956] Sleep (dwMilliseconds=0xa) [0110.040] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.041] GetLastError () returned 0x2 [0110.041] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.041] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.042] RegCloseKey (hKey=0x210) returned 0x0 [0110.042] Sleep (dwMilliseconds=0xa) [0110.106] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.107] GetLastError () returned 0x2 [0110.107] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0110.107] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.107] RegCloseKey (hKey=0x20c) returned 0x0 [0110.107] Sleep (dwMilliseconds=0xa) [0110.169] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.170] GetLastError () returned 0x2 [0110.170] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.171] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.171] RegCloseKey (hKey=0x210) returned 0x0 [0110.171] Sleep (dwMilliseconds=0xa) [0110.263] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.264] GetLastError () returned 0x2 [0110.264] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.264] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.264] RegCloseKey (hKey=0x210) returned 0x0 [0110.264] Sleep (dwMilliseconds=0xa) [0110.373] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.374] GetLastError () returned 0x2 [0110.374] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.375] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.375] RegCloseKey (hKey=0x210) returned 0x0 [0110.375] Sleep (dwMilliseconds=0xa) [0110.466] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.466] GetLastError () returned 0x2 [0110.466] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.467] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.467] RegCloseKey (hKey=0x210) returned 0x0 [0110.467] Sleep (dwMilliseconds=0xa) [0110.562] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.562] GetLastError () returned 0x2 [0110.562] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.563] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.563] RegCloseKey (hKey=0x210) returned 0x0 [0110.563] Sleep (dwMilliseconds=0xa) [0110.653] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.653] GetLastError () returned 0x2 [0110.653] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.654] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.654] RegCloseKey (hKey=0x210) returned 0x0 [0110.654] Sleep (dwMilliseconds=0xa) [0110.715] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.716] GetLastError () returned 0x2 [0110.716] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0110.716] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.716] RegCloseKey (hKey=0x20c) returned 0x0 [0110.717] Sleep (dwMilliseconds=0xa) [0110.778] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.778] GetLastError () returned 0x2 [0110.778] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.780] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.780] RegCloseKey (hKey=0x210) returned 0x0 [0110.780] Sleep (dwMilliseconds=0xa) [0110.982] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0110.982] GetLastError () returned 0x2 [0110.982] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0110.983] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0110.983] RegCloseKey (hKey=0x210) returned 0x0 [0110.983] Sleep (dwMilliseconds=0xa) [0111.155] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0111.155] GetLastError () returned 0x2 [0111.155] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0111.156] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0111.156] RegCloseKey (hKey=0x210) returned 0x0 [0111.156] Sleep (dwMilliseconds=0xa) [0111.350] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0111.350] GetLastError () returned 0x2 [0111.350] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0111.351] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0111.351] RegCloseKey (hKey=0x214) returned 0x0 [0111.351] Sleep (dwMilliseconds=0xa) [0111.484] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0111.485] GetLastError () returned 0x2 [0111.485] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0111.693] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0111.693] RegCloseKey (hKey=0x214) returned 0x0 [0111.694] Sleep (dwMilliseconds=0xa) [0111.877] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0111.877] GetLastError () returned 0x2 [0111.877] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0111.878] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0111.878] RegCloseKey (hKey=0x210) returned 0x0 [0111.878] Sleep (dwMilliseconds=0xa) [0112.030] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.030] GetLastError () returned 0x2 [0112.031] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0112.031] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.031] RegCloseKey (hKey=0x210) returned 0x0 [0112.031] Sleep (dwMilliseconds=0xa) [0112.152] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.153] GetLastError () returned 0x2 [0112.153] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0112.154] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.154] RegCloseKey (hKey=0x20c) returned 0x0 [0112.154] Sleep (dwMilliseconds=0xa) [0112.402] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.402] GetLastError () returned 0x2 [0112.403] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0112.405] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.405] RegCloseKey (hKey=0x214) returned 0x0 [0112.405] Sleep (dwMilliseconds=0xa) [0112.575] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.575] GetLastError () returned 0x2 [0112.575] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0112.576] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.576] RegCloseKey (hKey=0x210) returned 0x0 [0112.576] Sleep (dwMilliseconds=0xa) [0112.706] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.706] GetLastError () returned 0x2 [0112.706] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0112.707] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.707] RegCloseKey (hKey=0x210) returned 0x0 [0112.707] Sleep (dwMilliseconds=0xa) [0112.895] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0112.895] GetLastError () returned 0x2 [0112.896] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0112.896] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0112.896] RegCloseKey (hKey=0x214) returned 0x0 [0112.896] Sleep (dwMilliseconds=0xa) [0113.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0113.086] GetLastError () returned 0x2 [0113.086] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0113.229] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0113.229] RegCloseKey (hKey=0x214) returned 0x0 [0113.229] Sleep (dwMilliseconds=0xa) [0113.339] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0113.339] GetLastError () returned 0x2 [0113.339] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0113.340] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0113.340] RegCloseKey (hKey=0x20c) returned 0x0 [0113.340] Sleep (dwMilliseconds=0xa) [0113.520] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0113.521] GetLastError () returned 0x2 [0113.521] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0113.522] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0113.522] RegCloseKey (hKey=0x210) returned 0x0 [0113.523] Sleep (dwMilliseconds=0xa) [0113.689] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0113.690] GetLastError () returned 0x2 [0113.690] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0113.690] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0113.691] RegCloseKey (hKey=0x210) returned 0x0 [0113.691] Sleep (dwMilliseconds=0xa) [0113.901] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0113.901] GetLastError () returned 0x2 [0113.901] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0114.236] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0114.236] RegCloseKey (hKey=0x210) returned 0x0 [0114.236] Sleep (dwMilliseconds=0xa) [0114.412] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0114.413] GetLastError () returned 0x2 [0114.413] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0114.414] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0114.414] RegCloseKey (hKey=0x214) returned 0x0 [0114.414] Sleep (dwMilliseconds=0xa) [0114.523] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0114.524] GetLastError () returned 0x2 [0114.524] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0114.525] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0114.525] RegCloseKey (hKey=0x210) returned 0x0 [0114.525] Sleep (dwMilliseconds=0xa) [0114.607] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0114.607] GetLastError () returned 0x2 [0114.607] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0114.833] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0114.833] RegCloseKey (hKey=0x210) returned 0x0 [0114.833] Sleep (dwMilliseconds=0xa) [0114.936] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0114.937] GetLastError () returned 0x2 [0114.937] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0114.937] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0114.937] RegCloseKey (hKey=0x20c) returned 0x0 [0114.938] Sleep (dwMilliseconds=0xa) [0115.073] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.073] GetLastError () returned 0x2 [0115.074] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0115.075] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.075] RegCloseKey (hKey=0x214) returned 0x0 [0115.076] Sleep (dwMilliseconds=0xa) [0115.227] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.227] GetLastError () returned 0x2 [0115.227] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0115.228] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.228] RegCloseKey (hKey=0x210) returned 0x0 [0115.228] Sleep (dwMilliseconds=0xa) [0115.430] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.430] GetLastError () returned 0x2 [0115.430] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0115.431] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.431] RegCloseKey (hKey=0x210) returned 0x0 [0115.431] Sleep (dwMilliseconds=0xa) [0115.570] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.570] GetLastError () returned 0x2 [0115.570] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0115.571] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.571] RegCloseKey (hKey=0x214) returned 0x0 [0115.571] Sleep (dwMilliseconds=0xa) [0115.662] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.663] GetLastError () returned 0x2 [0115.663] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0115.663] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.663] RegCloseKey (hKey=0x214) returned 0x0 [0115.663] Sleep (dwMilliseconds=0xa) [0115.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.774] GetLastError () returned 0x2 [0115.774] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0115.774] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.774] RegCloseKey (hKey=0x210) returned 0x0 [0115.774] Sleep (dwMilliseconds=0xa) [0115.946] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0115.946] GetLastError () returned 0x2 [0115.946] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0115.947] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0115.947] RegCloseKey (hKey=0x214) returned 0x0 [0115.947] Sleep (dwMilliseconds=0xa) [0116.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.086] GetLastError () returned 0x2 [0116.086] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.087] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.087] RegCloseKey (hKey=0x210) returned 0x0 [0116.087] Sleep (dwMilliseconds=0xa) [0116.246] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.246] GetLastError () returned 0x2 [0116.246] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.247] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.247] RegCloseKey (hKey=0x210) returned 0x0 [0116.247] Sleep (dwMilliseconds=0xa) [0116.310] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3593d8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.310] GetLastError () returned 0x2 [0116.310] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0116.311] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.311] RegCloseKey (hKey=0x20c) returned 0x0 [0116.311] Sleep (dwMilliseconds=0xa) [0116.477] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b58, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.477] GetLastError () returned 0x2 [0116.477] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.479] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.479] RegCloseKey (hKey=0x210) returned 0x0 [0116.479] Sleep (dwMilliseconds=0xa) [0116.618] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.618] GetLastError () returned 0x2 [0116.618] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.618] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.618] RegCloseKey (hKey=0x210) returned 0x0 [0116.618] Sleep (dwMilliseconds=0xa) [0116.773] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.774] GetLastError () returned 0x2 [0116.774] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.774] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.774] RegCloseKey (hKey=0x210) returned 0x0 [0116.775] Sleep (dwMilliseconds=0xa) [0116.945] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0116.946] GetLastError () returned 0x2 [0116.946] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0116.946] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0116.946] RegCloseKey (hKey=0x210) returned 0x0 [0116.946] Sleep (dwMilliseconds=0xa) [0117.118] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.118] GetLastError () returned 0x2 [0117.118] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0117.119] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.119] RegCloseKey (hKey=0x214) returned 0x0 [0117.119] Sleep (dwMilliseconds=0xa) [0117.400] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.400] GetLastError () returned 0x2 [0117.400] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0117.401] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.401] RegCloseKey (hKey=0x214) returned 0x0 [0117.401] Sleep (dwMilliseconds=0xa) [0117.570] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.571] GetLastError () returned 0x2 [0117.571] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0117.571] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.571] RegCloseKey (hKey=0x210) returned 0x0 [0117.572] Sleep (dwMilliseconds=0xa) [0117.711] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.712] GetLastError () returned 0x2 [0117.712] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0117.713] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.713] RegCloseKey (hKey=0x210) returned 0x0 [0117.713] Sleep (dwMilliseconds=0xa) [0117.843] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.843] GetLastError () returned 0x2 [0117.843] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0117.843] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.844] RegCloseKey (hKey=0x20c) returned 0x0 [0117.844] Sleep (dwMilliseconds=0xa) [0117.945] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0117.946] GetLastError () returned 0x2 [0117.946] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0117.946] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0117.946] RegCloseKey (hKey=0x20c) returned 0x0 [0117.946] Sleep (dwMilliseconds=0xa) [0118.086] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.087] GetLastError () returned 0x2 [0118.087] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0118.089] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.089] RegCloseKey (hKey=0x214) returned 0x0 [0118.089] Sleep (dwMilliseconds=0xa) [0118.226] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.227] GetLastError () returned 0x2 [0118.227] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0118.227] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.227] RegCloseKey (hKey=0x214) returned 0x0 [0118.227] Sleep (dwMilliseconds=0xa) [0118.452] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.453] GetLastError () returned 0x2 [0118.453] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0118.453] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.453] RegCloseKey (hKey=0x210) returned 0x0 [0118.453] Sleep (dwMilliseconds=0xa) [0118.571] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.572] GetLastError () returned 0x2 [0118.572] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0118.572] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.573] RegCloseKey (hKey=0x210) returned 0x0 [0118.573] Sleep (dwMilliseconds=0xa) [0118.711] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.711] GetLastError () returned 0x2 [0118.711] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0118.711] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.712] RegCloseKey (hKey=0x214) returned 0x0 [0118.712] Sleep (dwMilliseconds=0xa) [0118.851] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3595e8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.852] GetLastError () returned 0x2 [0118.852] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0118.852] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.852] RegCloseKey (hKey=0x20c) returned 0x0 [0118.852] Sleep (dwMilliseconds=0xa) [0118.908] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0118.958] GetLastError () returned 0x2 [0118.958] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0118.959] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0118.959] RegCloseKey (hKey=0x20c) returned 0x0 [0118.959] Sleep (dwMilliseconds=0xa) [0119.099] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.099] GetLastError () returned 0x2 [0119.099] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x210) returned 0x0 [0119.101] RegQueryValueExA (in: hKey=0x210, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0119.101] RegCloseKey (hKey=0x210) returned 0x0 [0119.101] Sleep (dwMilliseconds=0xa) [0119.239] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b88, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.239] GetLastError () returned 0x2 [0119.239] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0119.240] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0119.240] RegCloseKey (hKey=0x214) returned 0x0 [0119.240] Sleep (dwMilliseconds=0xa) [0119.383] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.383] GetLastError () returned 0x2 [0119.383] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0119.384] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0119.384] RegCloseKey (hKey=0x214) returned 0x0 [0119.384] Sleep (dwMilliseconds=0xa) [0119.552] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x34ab28, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.552] GetLastError () returned 0x2 [0119.552] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0119.553] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0119.553] RegCloseKey (hKey=0x214) returned 0x0 [0119.553] Sleep (dwMilliseconds=0xa) [0119.864] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.865] GetLastError () returned 0x2 [0119.865] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0119.865] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0119.865] RegCloseKey (hKey=0x214) returned 0x0 [0119.866] Sleep (dwMilliseconds=0xa) [0119.989] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0119.990] GetLastError () returned 0x2 [0119.990] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0120.302] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0120.302] RegCloseKey (hKey=0x214) returned 0x0 [0120.302] Sleep (dwMilliseconds=0xa) [0120.392] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0120.392] GetLastError () returned 0x2 [0120.392] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0120.393] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0120.393] RegCloseKey (hKey=0x20c) returned 0x0 [0120.393] Sleep (dwMilliseconds=0xa) [0120.573] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0120.573] GetLastError () returned 0x2 [0120.573] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0120.575] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0120.575] RegCloseKey (hKey=0x214) returned 0x0 [0120.576] Sleep (dwMilliseconds=0xa) [0121.181] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0121.182] GetLastError () returned 0x2 [0121.182] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0121.182] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0121.183] RegCloseKey (hKey=0x214) returned 0x0 [0121.183] Sleep (dwMilliseconds=0xa) [0121.348] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0121.348] GetLastError () returned 0x2 [0121.348] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0121.349] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0121.349] RegCloseKey (hKey=0x214) returned 0x0 [0121.349] Sleep (dwMilliseconds=0xa) [0121.490] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0121.490] GetLastError () returned 0x2 [0121.490] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0121.491] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0121.491] RegCloseKey (hKey=0x214) returned 0x0 [0121.491] Sleep (dwMilliseconds=0xa) [0122.193] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0122.193] GetLastError () returned 0x2 [0122.193] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0122.194] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0122.194] RegCloseKey (hKey=0x214) returned 0x0 [0122.194] Sleep (dwMilliseconds=0xa) [0122.429] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0122.429] GetLastError () returned 0x2 [0122.429] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0122.430] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0122.430] RegCloseKey (hKey=0x214) returned 0x0 [0122.430] Sleep (dwMilliseconds=0xa) [0122.593] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0122.593] GetLastError () returned 0x2 [0122.593] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0122.594] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0122.594] RegCloseKey (hKey=0x20c) returned 0x0 [0122.594] Sleep (dwMilliseconds=0xa) [0122.752] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0122.753] GetLastError () returned 0x2 [0122.753] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x218) returned 0x0 [0122.755] RegQueryValueExA (in: hKey=0x218, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0122.755] RegCloseKey (hKey=0x218) returned 0x0 [0122.755] Sleep (dwMilliseconds=0xa) [0122.948] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0122.949] GetLastError () returned 0x2 [0122.949] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0122.949] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0122.949] RegCloseKey (hKey=0x214) returned 0x0 [0122.950] Sleep (dwMilliseconds=0xa) [0123.434] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0123.434] GetLastError () returned 0x2 [0123.434] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0123.435] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0123.435] RegCloseKey (hKey=0x214) returned 0x0 [0123.435] Sleep (dwMilliseconds=0xa) [0123.633] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0123.633] GetLastError () returned 0x2 [0123.633] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0123.729] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0123.729] RegCloseKey (hKey=0x214) returned 0x0 [0123.730] Sleep (dwMilliseconds=0xa) [0123.895] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359b40, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0123.896] GetLastError () returned 0x2 [0123.896] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0124.107] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0124.107] RegCloseKey (hKey=0x20c) returned 0x0 [0124.108] Sleep (dwMilliseconds=0xa) [0124.217] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0124.217] GetLastError () returned 0x2 [0124.217] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0124.217] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0124.218] RegCloseKey (hKey=0x20c) returned 0x0 [0124.218] Sleep (dwMilliseconds=0xa) [0124.560] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0124.561] GetLastError () returned 0x2 [0124.561] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0124.705] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0124.705] RegCloseKey (hKey=0x214) returned 0x0 [0124.706] Sleep (dwMilliseconds=0xa) [0124.817] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0124.817] GetLastError () returned 0x2 [0124.817] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0124.951] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0124.951] RegCloseKey (hKey=0x214) returned 0x0 [0124.952] Sleep (dwMilliseconds=0xa) [0125.076] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.076] GetLastError () returned 0x2 [0125.076] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0125.232] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.232] RegCloseKey (hKey=0x214) returned 0x0 [0125.232] Sleep (dwMilliseconds=0xa) [0125.347] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.347] GetLastError () returned 0x2 [0125.348] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0125.445] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.445] RegCloseKey (hKey=0x214) returned 0x0 [0125.446] Sleep (dwMilliseconds=0xa) [0125.586] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.586] GetLastError () returned 0x2 [0125.586] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0125.587] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.587] RegCloseKey (hKey=0x20c) returned 0x0 [0125.587] Sleep (dwMilliseconds=0xa) [0125.682] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.682] GetLastError () returned 0x2 [0125.682] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0125.684] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.684] RegCloseKey (hKey=0x214) returned 0x0 [0125.684] Sleep (dwMilliseconds=0xa) [0125.854] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.854] GetLastError () returned 0x2 [0125.854] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x218) returned 0x0 [0125.855] RegQueryValueExA (in: hKey=0x218, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.858] RegCloseKey (hKey=0x218) returned 0x0 [0125.858] Sleep (dwMilliseconds=0xa) [0125.992] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359558, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0125.993] GetLastError () returned 0x2 [0125.993] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0125.993] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0125.994] RegCloseKey (hKey=0x214) returned 0x0 [0125.994] Sleep (dwMilliseconds=0xa) [0126.075] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ae0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0126.076] GetLastError () returned 0x2 [0126.076] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x218) returned 0x0 [0126.399] RegQueryValueExA (in: hKey=0x218, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0126.399] RegCloseKey (hKey=0x218) returned 0x0 [0126.399] Sleep (dwMilliseconds=0xa) [0126.710] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359ab0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0126.711] GetLastError () returned 0x2 [0126.711] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0126.712] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0126.712] RegCloseKey (hKey=0x20c) returned 0x0 [0126.712] Sleep (dwMilliseconds=0xa) [0127.527] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0127.527] GetLastError () returned 0x2 [0127.527] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x20c) returned 0x0 [0127.528] RegQueryValueExA (in: hKey=0x20c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0127.528] RegCloseKey (hKey=0x20c) returned 0x0 [0127.528] Sleep (dwMilliseconds=0xa) [0127.617] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0127.618] GetLastError () returned 0x2 [0127.618] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x214) returned 0x0 [0127.721] RegQueryValueExA (in: hKey=0x214, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0127.721] RegCloseKey (hKey=0x214) returned 0x0 [0127.721] Sleep (dwMilliseconds=0xa) [0127.999] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0128.000] GetLastError () returned 0x2 [0128.000] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x220) returned 0x0 [0128.000] RegQueryValueExA (in: hKey=0x220, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0128.000] RegCloseKey (hKey=0x220) returned 0x0 [0128.001] Sleep (dwMilliseconds=0xa) [0128.281] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0128.282] GetLastError () returned 0x2 [0128.282] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x228) returned 0x0 [0128.283] RegQueryValueExA (in: hKey=0x228, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0128.283] RegCloseKey (hKey=0x228) returned 0x0 [0128.283] Sleep (dwMilliseconds=0xa) [0128.444] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0128.444] GetLastError () returned 0x2 [0128.445] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x22c) returned 0x0 [0128.445] RegQueryValueExA (in: hKey=0x22c, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0128.445] RegCloseKey (hKey=0x22c) returned 0x0 [0128.445] Sleep (dwMilliseconds=0xa) [0129.094] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0129.094] GetLastError () returned 0x2 [0129.094] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x224) returned 0x0 [0129.095] RegQueryValueExA (in: hKey=0x224, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0129.095] RegCloseKey (hKey=0x224) returned 0x0 [0129.095] Sleep (dwMilliseconds=0xa) [0129.226] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0129.227] GetLastError () returned 0x2 [0129.227] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x290) returned 0x0 [0129.228] RegQueryValueExA (in: hKey=0x290, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0129.228] RegCloseKey (hKey=0x290) returned 0x0 [0129.228] Sleep (dwMilliseconds=0xa) [0129.327] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0129.327] GetLastError () returned 0x2 [0129.327] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x290) returned 0x0 [0129.328] RegQueryValueExA (in: hKey=0x290, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0129.328] RegCloseKey (hKey=0x290) returned 0x0 [0129.328] Sleep (dwMilliseconds=0xa) [0129.632] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0129.632] GetLastError () returned 0x2 [0129.632] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2ac) returned 0x0 [0129.633] RegQueryValueExA (in: hKey=0x2ac, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0129.633] RegCloseKey (hKey=0x2ac) returned 0x0 [0129.633] Sleep (dwMilliseconds=0xa) [0129.977] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0129.978] GetLastError () returned 0x2 [0129.978] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2b0) returned 0x0 [0129.983] RegQueryValueExA (in: hKey=0x2b0, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0129.983] RegCloseKey (hKey=0x2b0) returned 0x0 [0129.983] Sleep (dwMilliseconds=0xa) [0130.089] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359bb8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.089] GetLastError () returned 0x2 [0130.089] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2bc) returned 0x0 [0130.183] RegQueryValueExA (in: hKey=0x2bc, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.183] RegCloseKey (hKey=0x2bc) returned 0x0 [0130.183] Sleep (dwMilliseconds=0xa) [0130.268] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.269] GetLastError () returned 0x2 [0130.269] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2c0) returned 0x0 [0130.270] RegQueryValueExA (in: hKey=0x2c0, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.270] RegCloseKey (hKey=0x2c0) returned 0x0 [0130.270] Sleep (dwMilliseconds=0xa) [0130.360] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.360] GetLastError () returned 0x2 [0130.360] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2bc) returned 0x0 [0130.361] RegQueryValueExA (in: hKey=0x2bc, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.361] RegCloseKey (hKey=0x2bc) returned 0x0 [0130.361] Sleep (dwMilliseconds=0xa) [0130.453] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.453] GetLastError () returned 0x2 [0130.453] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2bc) returned 0x0 [0130.454] RegQueryValueExA (in: hKey=0x2bc, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.454] RegCloseKey (hKey=0x2bc) returned 0x0 [0130.454] Sleep (dwMilliseconds=0xa) [0130.546] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359be8, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.546] GetLastError () returned 0x2 [0130.546] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2c0) returned 0x0 [0130.547] RegQueryValueExA (in: hKey=0x2c0, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.547] RegCloseKey (hKey=0x2c0) returned 0x0 [0130.547] Sleep (dwMilliseconds=0xa) [0130.682] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.682] GetLastError () returned 0x2 [0130.682] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2ac) returned 0x0 [0130.683] RegQueryValueExA (in: hKey=0x2ac, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.683] RegCloseKey (hKey=0x2ac) returned 0x0 [0130.683] Sleep (dwMilliseconds=0xa) [0130.786] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x3599c0, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.786] GetLastError () returned 0x2 [0130.786] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2bc) returned 0x0 [0130.788] RegQueryValueExA (in: hKey=0x2bc, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.788] RegCloseKey (hKey=0x2bc) returned 0x0 [0130.788] Sleep (dwMilliseconds=0xa) [0130.863] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359438, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.863] GetLastError () returned 0x2 [0130.863] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2c0) returned 0x0 [0130.864] RegQueryValueExA (in: hKey=0x2c0, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.864] RegCloseKey (hKey=0x2c0) returned 0x0 [0130.864] Sleep (dwMilliseconds=0xa) [0130.970] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0130.971] GetLastError () returned 0x2 [0130.971] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2c0) returned 0x0 [0130.971] RegQueryValueExA (in: hKey=0x2c0, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0130.971] RegCloseKey (hKey=0x2c0) returned 0x0 [0130.971] Sleep (dwMilliseconds=0xa) [0131.114] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\7549B699.zeppelin", lpFindFileData=0xf7f7c4 | out: lpFindFileData=0xf7f7c4*(dwFileAttributes=0xf7f810, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0xf7f920, ftLastAccessTime.dwHighDateTime=0x773e8fb3, ftLastWriteTime.dwLowDateTime=0x359a80, ftLastWriteTime.dwHighDateTime=0x12, nFileSizeHigh=0x773e8fcf, nFileSizeLow=0xf7f7d0, dwReserved0=0x9c0608, dwReserved1=0xf70000, cFileName="", cAlternateFileName="﨤÷◐眨邮￾￿礼÷㔟眧\n")) returned 0xffffffff [0131.114] GetLastError () returned 0x2 [0131.114] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Zeppelin", ulOptions=0x0, samDesired=0x20019, phkResult=0xf7f99c | out: phkResult=0xf7f99c*=0x2bc) returned 0x0 [0131.115] RegQueryValueExA (in: hKey=0x2bc, lpValueName="Stop", lpReserved=0x0, lpType=0xf7f9a0, lpData=0x0, lpcbData=0xf7f998*=0xf7fa10 | out: lpType=0xf7f9a0*=0x0, lpData=0x0, lpcbData=0xf7f998*=0x0) returned 0x2 [0131.115] RegCloseKey (hKey=0x2bc) returned 0x0 [0131.115] Sleep (dwMilliseconds=0xa) Thread: id = 41 os_tid = 0xfdc [0102.910] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0102.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359780, cbMultiByte=11, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exe") returned 11 [0102.911] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0102.911] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0102.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeexe", lpUsedDefaultChar=0x0) returned 12 [0102.913] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0102.913] GetProcAddress (hModule=0x74030000, lpProcName="CreateToolhelp32Snapshot") returned 0x7407edc0 [0102.913] GetProcAddress (hModule=0x74030000, lpProcName="Heap32ListFirst") returned 0x7407f1a0 [0102.913] GetProcAddress (hModule=0x74030000, lpProcName="Heap32ListNext") returned 0x7407f250 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Heap32First") returned 0x7407f2f0 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Heap32Next") returned 0x7407f510 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x74048830 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Process32First") returned 0x7407f810 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Process32Next") returned 0x7407f9a0 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Process32FirstW") returned 0x7407f750 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Process32NextW") returned 0x7407f8f0 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Thread32First") returned 0x7407fa80 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Thread32Next") returned 0x7407fb30 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Module32First") returned 0x7407fc90 [0102.914] GetProcAddress (hModule=0x74030000, lpProcName="Module32Next") returned 0x7407fe30 [0102.915] GetProcAddress (hModule=0x74030000, lpProcName="Module32FirstW") returned 0x7407fbd0 [0102.915] GetProcAddress (hModule=0x74030000, lpProcName="Module32NextW") returned 0x7407fd80 [0102.915] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0102.937] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0102.938] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0102.938] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0102.938] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0102.939] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0102.939] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0102.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0102.940] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0102.940] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0102.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="ᥠ\x06sers\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 0 [0102.940] GetLastError () returned 0x1f [0102.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="ᥠ\x06sers\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 0 [0102.940] CloseHandle (hObject=0x210) returned 1 [0102.948] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0102.949] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0102.949] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0102.949] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0102.949] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0102.950] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0102.950] CloseHandle (hObject=0x210) returned 1 [0102.950] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0102.951] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.003] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.003] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0103.003] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0103.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0103.004] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0103.004] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0103.005] CloseHandle (hObject=0x210) returned 1 [0103.005] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0103.005] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.005] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.005] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0103.005] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0103.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0103.006] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0103.006] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0103.007] CloseHandle (hObject=0x210) returned 1 [0103.007] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0103.007] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.007] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.007] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0103.007] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0103.008] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0103.008] CloseHandle (hObject=0x210) returned 1 [0103.008] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0103.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0103.009] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0103.009] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0103.009] CloseHandle (hObject=0x210) returned 1 [0103.009] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.010] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.010] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0103.010] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.010] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.010] CloseHandle (hObject=0x210) returned 1 [0103.010] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0103.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0103.011] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0103.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0103.012] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0103.013] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.013] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.013] CloseHandle (hObject=0x210) returned 1 [0103.013] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0103.014] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.014] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.014] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0103.014] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.015] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.015] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.015] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0103.015] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.015] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.015] CloseHandle (hObject=0x210) returned 1 [0103.015] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.016] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.016] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.016] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0103.016] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.016] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.016] CloseHandle (hObject=0x210) returned 1 [0103.016] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.017] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.017] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.017] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0103.017] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.017] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.018] CloseHandle (hObject=0x210) returned 1 [0103.018] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.018] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0103.018] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.019] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.019] CloseHandle (hObject=0x210) returned 1 [0103.019] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.019] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0103.020] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.020] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.020] CloseHandle (hObject=0x210) returned 1 [0103.020] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.021] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.021] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.021] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0103.021] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.021] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.021] CloseHandle (hObject=0x210) returned 1 [0103.021] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0103.022] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.022] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.022] CloseHandle (hObject=0x210) returned 1 [0103.022] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0103.023] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.023] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.024] CloseHandle (hObject=0x210) returned 1 [0103.024] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0103.024] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.025] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.025] CloseHandle (hObject=0x210) returned 1 [0103.025] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0103.026] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.026] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.026] CloseHandle (hObject=0x210) returned 1 [0103.026] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0103.027] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.027] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.027] CloseHandle (hObject=0x210) returned 1 [0103.027] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0103.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.028] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.028] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0103.028] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0103.028] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0103.029] CloseHandle (hObject=0x210) returned 1 [0103.029] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0103.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.030] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0103.030] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0103.030] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0103.030] CloseHandle (hObject=0x210) returned 1 [0103.030] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0103.031] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.031] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.031] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0103.031] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0103.031] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0103.031] CloseHandle (hObject=0x210) returned 1 [0103.031] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.032] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.032] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.032] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0103.032] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.032] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.032] CloseHandle (hObject=0x210) returned 1 [0103.032] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0103.033] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.033] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.033] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0103.033] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.034] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.034] CloseHandle (hObject=0x210) returned 1 [0103.034] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0103.034] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.034] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.034] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0103.035] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0103.035] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0103.035] CloseHandle (hObject=0x210) returned 1 [0103.035] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0103.035] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.036] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.036] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0103.036] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0103.036] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0103.036] CloseHandle (hObject=0x210) returned 1 [0103.036] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0103.037] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.037] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.037] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0103.037] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0103.037] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0103.037] CloseHandle (hObject=0x210) returned 1 [0103.037] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0103.038] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.038] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.038] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0103.038] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0103.038] GetLastError () returned 0x1f [0103.038] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0103.038] CloseHandle (hObject=0x210) returned 1 [0103.103] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0103.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0103.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0103.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0103.104] CloseHandle (hObject=0x210) returned 1 [0103.104] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0103.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0103.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0103.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0103.105] CloseHandle (hObject=0x210) returned 1 [0103.106] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0103.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0103.107] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0103.107] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0103.107] CloseHandle (hObject=0x210) returned 1 [0103.107] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0103.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0103.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0103.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0103.109] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0103.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0103.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0103.110] CloseHandle (hObject=0x210) returned 1 [0103.110] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0103.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0103.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0103.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0103.112] CloseHandle (hObject=0x210) returned 1 [0103.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0103.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0103.112] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0103.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0103.113] CloseHandle (hObject=0x210) returned 1 [0103.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0103.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0103.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0103.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0103.114] CloseHandle (hObject=0x210) returned 1 [0103.114] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0103.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0103.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0103.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0103.115] CloseHandle (hObject=0x210) returned 1 [0103.115] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0103.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0103.116] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0103.116] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0103.117] CloseHandle (hObject=0x210) returned 1 [0103.117] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0103.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0103.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0103.118] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0103.118] CloseHandle (hObject=0x210) returned 1 [0103.118] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0103.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0103.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0103.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0103.119] CloseHandle (hObject=0x210) returned 1 [0103.119] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0103.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0103.120] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0103.120] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0103.120] CloseHandle (hObject=0x210) returned 1 [0103.120] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0103.121] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.121] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.121] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0103.121] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0103.121] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0103.122] CloseHandle (hObject=0x210) returned 1 [0103.122] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0103.122] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.122] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.122] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0103.122] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0103.123] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0103.123] CloseHandle (hObject=0x210) returned 1 [0103.123] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0103.124] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.124] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.124] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0103.124] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0103.124] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0103.124] CloseHandle (hObject=0x210) returned 1 [0103.124] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0103.125] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.125] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.125] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0103.125] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0103.125] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0103.125] CloseHandle (hObject=0x210) returned 1 [0103.126] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0103.126] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.126] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.126] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0103.126] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0103.126] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0103.127] CloseHandle (hObject=0x210) returned 1 [0103.127] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0103.127] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.127] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.127] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0103.127] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0103.128] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0103.128] CloseHandle (hObject=0x210) returned 1 [0103.128] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0103.128] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.129] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.129] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0103.129] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0103.129] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0103.129] CloseHandle (hObject=0x210) returned 1 [0103.129] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0103.130] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.130] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.130] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0103.130] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0103.130] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0103.130] CloseHandle (hObject=0x210) returned 1 [0103.130] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0103.131] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.131] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.131] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0103.131] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0103.131] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0103.131] CloseHandle (hObject=0x210) returned 1 [0103.131] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0103.132] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.132] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.132] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0103.132] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0103.132] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0103.133] CloseHandle (hObject=0x210) returned 1 [0103.133] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0103.134] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.134] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.134] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0103.134] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.134] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.134] CloseHandle (hObject=0x210) returned 1 [0103.134] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0103.135] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.135] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.135] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0103.135] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0103.136] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0103.136] CloseHandle (hObject=0x210) returned 1 [0103.136] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0103.137] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.137] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0103.137] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.137] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.137] CloseHandle (hObject=0x210) returned 1 [0103.137] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0103.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0103.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0103.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0103.189] CloseHandle (hObject=0x210) returned 1 [0103.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0103.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0103.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0103.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0103.191] CloseHandle (hObject=0x210) returned 1 [0103.191] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0103.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0103.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.192] CloseHandle (hObject=0x210) returned 1 [0103.192] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0103.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0103.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0103.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0103.194] CloseHandle (hObject=0x210) returned 1 [0103.194] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0103.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0103.195] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0103.195] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0103.196] CloseHandle (hObject=0x210) returned 1 [0103.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0103.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0103.197] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0103.197] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0103.197] CloseHandle (hObject=0x210) returned 1 [0103.197] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0103.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0103.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0103.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0103.199] CloseHandle (hObject=0x210) returned 1 [0103.199] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0103.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0103.200] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0103.200] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0103.201] CloseHandle (hObject=0x210) returned 1 [0103.201] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0103.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0103.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0103.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0103.202] CloseHandle (hObject=0x210) returned 1 [0103.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0103.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0103.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0103.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0103.204] CloseHandle (hObject=0x210) returned 1 [0103.204] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0103.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0103.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.206] CloseHandle (hObject=0x210) returned 1 [0103.206] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0103.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0103.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.207] CloseHandle (hObject=0x210) returned 1 [0103.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0103.208] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.208] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0103.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0103.209] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0103.209] CloseHandle (hObject=0x210) returned 1 [0103.209] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0103.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0103.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0103.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0103.210] CloseHandle (hObject=0x210) returned 1 [0103.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0103.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0103.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0103.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0103.212] CloseHandle (hObject=0x210) returned 1 [0103.212] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0103.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0103.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0103.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0103.213] CloseHandle (hObject=0x210) returned 1 [0103.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0103.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0103.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.215] CloseHandle (hObject=0x210) returned 1 [0103.215] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0103.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0103.216] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0103.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0103.217] CloseHandle (hObject=0x210) returned 1 [0103.218] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0103.219] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exexe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.219] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0103.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0103.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0103.220] CloseHandle (hObject=0x210) returned 1 [0103.221] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0103.222] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exep.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0103.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0103.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0103.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0103.224] CloseHandle (hObject=0x210) returned 1 [0103.225] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0103.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exebird.exeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.227] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0103.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0103.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0103.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0103.228] CloseHandle (hObject=0x210) returned 1 [0103.229] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="totalcmd.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="totalcmd.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0103.230] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exed.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.230] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0103.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.231] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0103.231] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0103.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0103.232] CloseHandle (hObject=0x210) returned 1 [0103.284] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0103.285] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0103.286] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.286] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.286] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0103.286] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0103.287] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0103.287] CloseHandle (hObject=0x210) returned 1 [0103.287] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0103.735] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.735] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.735] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0103.735] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0103.735] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0103.736] CloseHandle (hObject=0x210) returned 1 [0103.736] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0103.737] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.737] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.737] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0103.737] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0103.737] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0103.737] CloseHandle (hObject=0x210) returned 1 [0103.737] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0103.738] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.738] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.739] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0103.739] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0103.739] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0103.739] CloseHandle (hObject=0x210) returned 1 [0103.739] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0103.740] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.740] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0103.740] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0103.741] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0103.741] CloseHandle (hObject=0x210) returned 1 [0103.741] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0103.742] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.742] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.742] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0103.742] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0103.742] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0103.742] CloseHandle (hObject=0x210) returned 1 [0103.742] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0103.743] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.743] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.743] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0103.743] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0103.744] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0103.744] CloseHandle (hObject=0x210) returned 1 [0103.744] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0103.745] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.745] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0103.745] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0103.745] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0103.745] CloseHandle (hObject=0x210) returned 1 [0103.745] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0103.746] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.746] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.746] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0103.746] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0103.747] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0103.747] CloseHandle (hObject=0x210) returned 1 [0103.747] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0103.750] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.750] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.750] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0103.750] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0103.750] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0103.750] CloseHandle (hObject=0x210) returned 1 [0103.750] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0103.751] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.751] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.751] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0103.751] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0103.752] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0103.752] CloseHandle (hObject=0x210) returned 1 [0103.752] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0103.753] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.753] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.753] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0103.753] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0103.753] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0103.753] CloseHandle (hObject=0x210) returned 1 [0103.753] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0103.754] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.754] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.754] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0103.754] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0103.755] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0103.755] CloseHandle (hObject=0x210) returned 1 [0103.755] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0103.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0103.756] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0103.756] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0103.756] CloseHandle (hObject=0x210) returned 1 [0103.756] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0103.757] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.757] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.757] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0103.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0103.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0103.758] CloseHandle (hObject=0x210) returned 1 [0103.758] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0103.758] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.758] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.759] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0103.759] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0103.759] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0103.759] CloseHandle (hObject=0x210) returned 1 [0103.759] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0103.760] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.760] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.760] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0103.760] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0103.760] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0103.760] CloseHandle (hObject=0x210) returned 1 [0103.760] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0103.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0103.761] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0103.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0103.762] CloseHandle (hObject=0x210) returned 1 [0103.762] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0103.763] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.763] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0103.763] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0103.763] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0103.886] CloseHandle (hObject=0x210) returned 1 [0103.886] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0103.887] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.887] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0103.887] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0103.887] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0103.888] CloseHandle (hObject=0x210) returned 1 [0103.888] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0103.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0103.889] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0103.889] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0103.890] CloseHandle (hObject=0x210) returned 1 [0103.890] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0103.891] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0103.891] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0103.891] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0103.892] CloseHandle (hObject=0x210) returned 1 [0103.892] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0103.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.896] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0103.896] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0103.896] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0103.896] CloseHandle (hObject=0x210) returned 1 [0103.896] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0103.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0103.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.898] CloseHandle (hObject=0x210) returned 1 [0103.898] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0103.899] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.899] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0103.899] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0103.900] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0103.900] CloseHandle (hObject=0x210) returned 1 [0103.900] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0103.901] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.901] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.901] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a0) returned 0x210 [0103.901] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0103.902] CloseHandle (hObject=0x210) returned 1 [0103.902] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0103.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0103.903] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0103.903] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0103.904] CloseHandle (hObject=0x210) returned 1 [0103.904] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0103.905] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.905] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.905] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0103.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0103.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0103.905] CloseHandle (hObject=0x210) returned 1 [0103.906] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0103.906] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.907] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.907] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0103.907] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0103.907] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0103.908] CloseHandle (hObject=0x210) returned 1 [0103.909] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0103.910] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exexegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.911] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0103.911] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.912] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.912] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0103.912] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0103.912] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0103.912] CloseHandle (hObject=0x210) returned 1 [0103.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0103.915] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exexegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 11 [0103.915] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0103.943] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.943] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.943] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0103.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0103.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0103.943] CloseHandle (hObject=0x210) returned 1 [0103.946] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="AppHostRegistrationVerifier.exe", cchWideChar=31, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AppHostRegistrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 31 [0103.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeRegistrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 11 [0103.947] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.948] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.948] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.948] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0103.948] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0103.949] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0103.949] CloseHandle (hObject=0x210) returned 1 [0103.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exestrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 11 [0103.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exe.exestrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 11 [0103.951] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0103.952] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0103.952] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0103.952] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0103.952] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0103.952] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0103.953] CloseHandle (hObject=0x210) returned 1 [0103.954] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0104.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0104.023] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0104.023] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0104.023] CloseHandle (hObject=0x210) returned 1 [0104.024] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x112c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svsxchost.exe")) returned 1 [0104.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x112c) returned 0x210 [0104.025] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.025] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.025] CloseHandle (hObject=0x210) returned 1 [0104.025] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0104.026] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.026] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.026] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0104.026] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 0 [0104.026] GetLastError () returned 0x1f [0104.026] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 0 [0104.026] CloseHandle (hObject=0x210) returned 1 [0104.065] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0104.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.066] CloseHandle (hObject=0x210) returned 1 [0104.066] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0104.067] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.067] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.067] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0104.067] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0104.067] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0104.067] CloseHandle (hObject=0x210) returned 1 [0104.067] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.068] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.068] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0104.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0104.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0104.069] CloseHandle (hObject=0x210) returned 1 [0104.069] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x717f8, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x5000005, szExeFile="??Q???")) returned 0 [0104.069] CloseHandle (hObject=0x20c) returned 1 [0104.070] Sleep (dwMilliseconds=0x1) [0104.124] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0104.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x334d98, cbMultiByte=22, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeagntsvc.exe") returned 22 [0104.127] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exe", lpUsedDefaultChar=0x0) returned 22 [0104.127] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0104.129] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeexeagntsvc.exe", lpUsedDefaultChar=0x0) returned 12 [0104.129] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0104.200] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0104.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0104.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exe\x06", lpUsedDefaultChar=0x0) returned 22 [0104.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0104.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0104.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 0 [0104.203] GetLastError () returned 0x1f [0104.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 0 [0104.203] CloseHandle (hObject=0x210) returned 1 [0104.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0104.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0104.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0104.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0104.212] CloseHandle (hObject=0x210) returned 1 [0104.212] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.212] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0104.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0104.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0104.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0104.214] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0104.214] CloseHandle (hObject=0x210) returned 1 [0104.214] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0104.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0104.215] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0104.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0104.216] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0104.216] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0104.216] CloseHandle (hObject=0x210) returned 1 [0104.217] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0104.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0104.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0104.218] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0104.218] CloseHandle (hObject=0x210) returned 1 [0104.218] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0104.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0104.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0104.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6215c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0104.220] CloseHandle (hObject=0x210) returned 1 [0104.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0104.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.221] CloseHandle (hObject=0x210) returned 1 [0104.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0104.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0104.223] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0104.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0104.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0104.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.225] CloseHandle (hObject=0x210) returned 1 [0104.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0104.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0104.226] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0104.227] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.227] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.228] CloseHandle (hObject=0x210) returned 1 [0104.228] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0104.229] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.229] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.229] CloseHandle (hObject=0x210) returned 1 [0104.229] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0104.230] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.230] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.231] CloseHandle (hObject=0x210) returned 1 [0104.231] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.232] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0104.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.232] CloseHandle (hObject=0x210) returned 1 [0104.232] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0104.233] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.233] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.234] CloseHandle (hObject=0x210) returned 1 [0104.234] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.235] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.235] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.235] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0104.235] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.235] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.235] CloseHandle (hObject=0x210) returned 1 [0104.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exesvc.exeexe", lpUsedDefaultChar=0x0) returned 11 [0104.289] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexe", lpUsedDefaultChar=0x0) returned 22 [0104.289] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.290] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.290] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.290] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0104.290] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.291] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.291] CloseHandle (hObject=0x210) returned 1 [0104.292] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exesvc.exeexe", lpUsedDefaultChar=0x0) returned 11 [0104.294] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexe", lpUsedDefaultChar=0x0) returned 22 [0104.294] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.294] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.295] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.295] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0104.295] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.295] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.295] CloseHandle (hObject=0x210) returned 1 [0104.296] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exesvc.exeexe", lpUsedDefaultChar=0x0) returned 11 [0104.299] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexe", lpUsedDefaultChar=0x0) returned 22 [0104.299] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.299] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0104.300] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.300] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.300] CloseHandle (hObject=0x210) returned 1 [0104.301] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exesvc.exeexe", lpUsedDefaultChar=0x0) returned 11 [0104.302] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0104.303] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.303] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.303] CloseHandle (hObject=0x210) returned 1 [0104.303] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0104.304] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.304] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.304] CloseHandle (hObject=0x210) returned 1 [0104.304] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0104.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.305] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.305] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0104.305] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0104.305] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0104.306] CloseHandle (hObject=0x210) returned 1 [0104.306] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0104.306] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0104.306] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0104.307] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0104.307] CloseHandle (hObject=0x210) returned 1 [0104.307] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0104.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.308] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.308] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0104.308] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0104.308] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0104.308] CloseHandle (hObject=0x210) returned 1 [0104.308] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.309] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.309] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.309] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0104.309] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.309] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.309] CloseHandle (hObject=0x210) returned 1 [0104.309] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0104.310] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.310] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.310] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0104.310] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.310] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.310] CloseHandle (hObject=0x210) returned 1 [0104.310] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0104.311] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.311] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.311] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0104.311] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0104.311] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0104.312] CloseHandle (hObject=0x210) returned 1 [0104.312] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0104.312] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.312] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.312] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0104.312] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0104.313] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0104.313] CloseHandle (hObject=0x210) returned 1 [0104.313] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0104.314] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.314] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.314] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0104.314] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0104.314] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0104.314] CloseHandle (hObject=0x210) returned 1 [0104.315] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0104.315] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.315] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.315] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0104.315] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0104.315] GetLastError () returned 0x1f [0104.315] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0104.315] CloseHandle (hObject=0x210) returned 1 [0104.415] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0104.416] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.416] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0104.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0104.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0104.417] CloseHandle (hObject=0x210) returned 1 [0104.417] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0104.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0104.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0104.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0104.419] CloseHandle (hObject=0x210) returned 1 [0104.419] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0104.420] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.420] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0104.421] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0104.421] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0104.421] CloseHandle (hObject=0x210) returned 1 [0104.421] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0104.422] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.422] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.422] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0104.422] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0104.424] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.424] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0104.424] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0104.425] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.426] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.426] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0104.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.426] CloseHandle (hObject=0x210) returned 1 [0104.426] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0104.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.427] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0104.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0104.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0104.428] CloseHandle (hObject=0x210) returned 1 [0104.428] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0104.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.429] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.429] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0104.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0104.430] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0104.430] CloseHandle (hObject=0x210) returned 1 [0104.430] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0104.431] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.431] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.431] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0104.431] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0104.432] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0104.432] CloseHandle (hObject=0x210) returned 1 [0104.432] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0104.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.433] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0104.433] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0104.433] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0104.434] CloseHandle (hObject=0x210) returned 1 [0104.434] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0104.435] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0104.435] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0104.435] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0104.436] CloseHandle (hObject=0x210) returned 1 [0104.436] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0104.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.437] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.437] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0104.437] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0104.437] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0104.437] CloseHandle (hObject=0x210) returned 1 [0104.437] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0104.438] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0104.439] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0104.439] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0104.439] CloseHandle (hObject=0x210) returned 1 [0104.439] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0104.496] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.496] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.496] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0104.496] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0104.496] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0104.497] CloseHandle (hObject=0x210) returned 1 [0104.497] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0104.498] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.498] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.498] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0104.498] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0104.498] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0104.498] CloseHandle (hObject=0x210) returned 1 [0104.498] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0104.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0104.500] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0104.500] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0104.500] CloseHandle (hObject=0x210) returned 1 [0104.500] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0104.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.501] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0104.501] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0104.502] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0104.502] CloseHandle (hObject=0x210) returned 1 [0104.502] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0104.503] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.503] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.503] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0104.503] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0104.503] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0104.504] CloseHandle (hObject=0x210) returned 1 [0104.504] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0104.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.505] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0104.505] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0104.505] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0104.505] CloseHandle (hObject=0x210) returned 1 [0104.505] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0104.506] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.506] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.506] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0104.506] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0104.507] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0104.507] CloseHandle (hObject=0x210) returned 1 [0104.507] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0104.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.508] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.508] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0104.508] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0104.508] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0104.509] CloseHandle (hObject=0x210) returned 1 [0104.509] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0104.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0104.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0104.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0104.510] CloseHandle (hObject=0x210) returned 1 [0104.510] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0104.511] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.511] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.511] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0104.511] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0104.512] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0104.512] CloseHandle (hObject=0x210) returned 1 [0104.512] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0104.513] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.513] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.513] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0104.513] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0104.514] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0104.514] CloseHandle (hObject=0x210) returned 1 [0104.514] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0104.515] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.515] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.515] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0104.515] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.516] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.516] CloseHandle (hObject=0x210) returned 1 [0104.516] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0104.531] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.531] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.531] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0104.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0104.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0104.532] CloseHandle (hObject=0x210) returned 1 [0104.532] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0104.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0104.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.535] CloseHandle (hObject=0x210) returned 1 [0104.535] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0104.536] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0104.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0104.537] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0104.537] CloseHandle (hObject=0x210) returned 1 [0104.537] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0104.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0104.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0104.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0104.539] CloseHandle (hObject=0x210) returned 1 [0104.539] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0104.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0104.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.541] CloseHandle (hObject=0x210) returned 1 [0104.541] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0104.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0104.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0104.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0104.544] CloseHandle (hObject=0x210) returned 1 [0104.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0104.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0104.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0104.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0104.546] CloseHandle (hObject=0x210) returned 1 [0104.546] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0104.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.547] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.547] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0104.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0104.611] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0104.611] CloseHandle (hObject=0x210) returned 1 [0104.611] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0104.613] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.613] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.613] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0104.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0104.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0104.614] CloseHandle (hObject=0x210) returned 1 [0104.614] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0104.615] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.615] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.615] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0104.615] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0104.616] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0104.616] CloseHandle (hObject=0x210) returned 1 [0104.616] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0104.617] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.617] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.617] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0104.617] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0104.618] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0104.618] CloseHandle (hObject=0x210) returned 1 [0104.618] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0104.619] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.619] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.620] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0104.620] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0104.620] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0104.620] CloseHandle (hObject=0x210) returned 1 [0104.620] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0104.621] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.622] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.622] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0104.622] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.622] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.623] CloseHandle (hObject=0x210) returned 1 [0104.623] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0104.624] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.624] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.624] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0104.624] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.625] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.625] CloseHandle (hObject=0x210) returned 1 [0104.625] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0104.627] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.627] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.627] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0104.627] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0104.627] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0104.627] CloseHandle (hObject=0x210) returned 1 [0104.628] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0104.629] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.629] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.629] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0104.629] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0104.629] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0104.630] CloseHandle (hObject=0x210) returned 1 [0104.630] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0104.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0104.631] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0104.631] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0104.632] CloseHandle (hObject=0x210) returned 1 [0104.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0104.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0104.633] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0104.634] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0104.634] CloseHandle (hObject=0x210) returned 1 [0104.634] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0104.635] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.635] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.635] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0104.635] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.636] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.636] CloseHandle (hObject=0x210) returned 1 [0104.636] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0104.637] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.637] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0104.637] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0104.638] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0104.638] CloseHandle (hObject=0x210) returned 1 [0104.638] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0104.639] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.639] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.639] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0104.640] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.640] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0104.640] CloseHandle (hObject=0x210) returned 1 [0104.640] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0104.641] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0104.642] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0104.642] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0104.642] CloseHandle (hObject=0x210) returned 1 [0104.642] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0104.644] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.644] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0104.644] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0104.644] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0104.644] CloseHandle (hObject=0x210) returned 1 [0104.645] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0104.646] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.646] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0104.646] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0104.646] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0104.647] CloseHandle (hObject=0x210) returned 1 [0104.647] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0104.648] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.648] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.648] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0104.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0104.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0104.649] CloseHandle (hObject=0x210) returned 1 [0104.649] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0104.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0104.650] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0104.650] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0104.651] CloseHandle (hObject=0x210) returned 1 [0104.651] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0104.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0104.652] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0104.653] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0104.653] CloseHandle (hObject=0x210) returned 1 [0104.653] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0104.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0104.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0104.655] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0104.655] CloseHandle (hObject=0x210) returned 1 [0104.655] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0104.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0104.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0104.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0104.657] CloseHandle (hObject=0x210) returned 1 [0104.657] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0104.712] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.712] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.712] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0104.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0104.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0104.713] CloseHandle (hObject=0x210) returned 1 [0104.713] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0104.714] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.714] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.714] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0104.714] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0104.715] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0104.715] CloseHandle (hObject=0x210) returned 1 [0104.715] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0104.716] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.716] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.716] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0104.716] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0104.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0104.717] CloseHandle (hObject=0x210) returned 1 [0104.717] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0104.718] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.718] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.718] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0104.718] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0104.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0104.719] CloseHandle (hObject=0x210) returned 1 [0104.719] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0104.739] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.740] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0104.740] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0104.740] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0104.740] CloseHandle (hObject=0x210) returned 1 [0104.743] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=21, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centralcreditcard.exexe famous.exe", lpUsedDefaultChar=0x0) returned 21 [0104.746] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 22 [0104.746] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0104.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.747] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0104.747] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0104.748] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0104.748] CloseHandle (hObject=0x210) returned 1 [0104.750] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exeeexexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0104.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 22 [0104.755] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0104.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0104.756] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0104.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0104.757] CloseHandle (hObject=0x210) returned 1 [0104.758] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exetsvc.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0104.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeagntsvc.exe", cchWideChar=22, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeagntsvc.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 22 [0104.761] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0104.762] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.762] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.762] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0104.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0104.763] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0104.763] CloseHandle (hObject=0x210) returned 1 [0104.763] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0104.764] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.764] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.764] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0104.765] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0104.765] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0104.765] CloseHandle (hObject=0x210) returned 1 [0104.766] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0104.767] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.864] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.864] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0104.864] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0104.864] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0104.865] CloseHandle (hObject=0x210) returned 1 [0104.865] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0104.866] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.866] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.866] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0104.866] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0104.867] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0104.867] CloseHandle (hObject=0x210) returned 1 [0104.867] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0104.868] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.868] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.868] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0104.868] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0104.869] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0104.869] CloseHandle (hObject=0x210) returned 1 [0104.869] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0104.870] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.870] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.870] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0104.870] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0104.870] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0104.871] CloseHandle (hObject=0x210) returned 1 [0104.871] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0104.872] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.872] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.872] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0104.872] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0104.872] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0104.873] CloseHandle (hObject=0x210) returned 1 [0104.873] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0104.874] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.874] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.874] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0104.874] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0104.874] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0104.875] CloseHandle (hObject=0x210) returned 1 [0104.875] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0104.876] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.876] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0104.876] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0104.877] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0104.877] CloseHandle (hObject=0x210) returned 1 [0104.877] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0104.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0104.878] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0104.878] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0104.879] CloseHandle (hObject=0x210) returned 1 [0104.879] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0104.880] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.880] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.880] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0104.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0104.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0104.880] CloseHandle (hObject=0x210) returned 1 [0104.881] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0104.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0104.882] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.882] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.882] CloseHandle (hObject=0x210) returned 1 [0104.882] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0104.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.883] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0104.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0104.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0104.884] CloseHandle (hObject=0x210) returned 1 [0104.884] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0104.885] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.885] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a0) returned 0x210 [0104.885] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.886] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0104.886] CloseHandle (hObject=0x210) returned 1 [0104.886] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0104.887] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.887] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0104.887] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0104.888] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0104.888] CloseHandle (hObject=0x210) returned 1 [0104.888] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0104.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0104.889] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0104.889] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0104.890] CloseHandle (hObject=0x210) returned 1 [0104.890] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0104.890] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0104.891] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0104.891] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0104.891] CloseHandle (hObject=0x210) returned 1 [0104.891] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0104.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.893] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.893] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0104.893] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0104.894] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0104.894] CloseHandle (hObject=0x210) returned 1 [0104.894] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0104.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0104.895] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0104.895] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0104.896] CloseHandle (hObject=0x210) returned 1 [0104.896] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0104.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0104.897] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0104.897] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0104.897] CloseHandle (hObject=0x210) returned 1 [0104.897] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0104.898] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0104.899] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0104.899] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0104.899] CloseHandle (hObject=0x210) returned 1 [0104.899] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0104.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.900] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.900] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0104.900] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0104.901] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0104.901] CloseHandle (hObject=0x210) returned 1 [0104.901] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x112c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svsxchost.exe")) returned 1 [0104.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x112c) returned 0x210 [0104.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 1 [0104.903] CloseHandle (hObject=0x210) returned 1 [0104.903] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0104.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0104.904] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0104.904] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0104.904] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 0 [0104.904] GetLastError () returned 0x1f [0104.904] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\svsxchost.exe", lpdwSize=0x10bf57c) returned 0 [0104.904] CloseHandle (hObject=0x210) returned 1 [0105.110] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0105.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.112] CloseHandle (hObject=0x210) returned 1 [0105.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0105.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0105.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0105.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0105.113] CloseHandle (hObject=0x210) returned 1 [0105.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0105.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0105.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0105.114] CloseHandle (hObject=0x210) returned 1 [0105.114] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0105.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0105.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0105.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0105.116] CloseHandle (hObject=0x210) returned 1 [0105.116] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x717f8, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x5000005, szExeFile="??Q???")) returned 0 [0105.116] CloseHandle (hObject=0x20c) returned 1 [0105.116] Sleep (dwMilliseconds=0x1) [0105.419] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0105.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x334dc0, cbMultiByte=21, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeencsvc.exee") returned 21 [0105.422] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeencsvc.exe", cchWideChar=21, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeencsvc.exe", lpUsedDefaultChar=0x0) returned 21 [0105.422] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0105.424] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeexeencsvc.exe", lpUsedDefaultChar=0x0) returned 12 [0105.424] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0105.438] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0105.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.768] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.768] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0105.770] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeencsvc.exe", cchWideChar=21, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeencsvc.exeû\x06", lpUsedDefaultChar=0x0) returned 21 [0105.770] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0105.771] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.771] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.771] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0105.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 0 [0105.772] GetLastError () returned 0x1f [0105.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 0 [0105.772] CloseHandle (hObject=0x210) returned 1 [0105.784] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0105.785] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.785] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.785] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0105.785] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0105.786] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0105.786] CloseHandle (hObject=0x210) returned 1 [0105.786] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.787] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.787] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.787] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0105.787] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0105.788] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.788] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.788] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0105.788] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0105.789] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0105.789] CloseHandle (hObject=0x210) returned 1 [0105.789] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0105.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0105.790] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0105.791] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.791] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.791] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0105.791] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0105.791] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0105.792] CloseHandle (hObject=0x210) returned 1 [0105.792] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0105.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.793] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.793] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0105.793] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0105.793] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0105.793] CloseHandle (hObject=0x210) returned 1 [0105.793] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0105.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0105.794] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0105.795] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62594, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0105.795] CloseHandle (hObject=0x210) returned 1 [0105.795] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0105.796] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.796] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.796] CloseHandle (hObject=0x210) returned 1 [0105.796] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0105.797] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.797] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.797] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0105.797] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0105.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0105.878] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.879] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.879] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.879] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0105.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.880] CloseHandle (hObject=0x210) returned 1 [0105.880] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0105.881] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.881] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0105.881] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0105.882] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.883] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.883] CloseHandle (hObject=0x210) returned 1 [0105.883] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.884] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0105.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.936] CloseHandle (hObject=0x210) returned 1 [0105.936] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.937] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.937] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.937] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0105.937] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.938] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.938] CloseHandle (hObject=0x210) returned 1 [0105.938] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.939] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.939] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.939] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0105.939] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.939] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.940] CloseHandle (hObject=0x210) returned 1 [0105.940] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.941] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.941] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0105.941] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.941] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.941] CloseHandle (hObject=0x210) returned 1 [0105.941] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.942] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.942] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.942] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0105.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.942] CloseHandle (hObject=0x210) returned 1 [0105.943] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.943] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.943] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.943] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0105.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.944] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.944] CloseHandle (hObject=0x210) returned 1 [0105.944] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.944] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.944] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.944] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0105.945] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.945] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.945] CloseHandle (hObject=0x210) returned 1 [0105.945] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.946] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.946] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.946] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0105.946] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.946] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.946] CloseHandle (hObject=0x210) returned 1 [0105.946] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.947] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.947] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.947] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0105.947] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.947] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.948] CloseHandle (hObject=0x210) returned 1 [0105.948] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.948] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.948] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.949] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0105.949] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.949] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.949] CloseHandle (hObject=0x210) returned 1 [0105.949] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0105.950] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.950] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.950] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0105.950] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0105.950] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0105.951] CloseHandle (hObject=0x210) returned 1 [0105.951] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0105.951] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.951] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.951] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0105.951] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0105.952] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0105.952] CloseHandle (hObject=0x210) returned 1 [0105.952] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0105.952] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.952] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.952] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0105.953] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0105.953] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0105.953] CloseHandle (hObject=0x210) returned 1 [0105.953] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0105.954] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.954] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.954] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0105.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0105.954] CloseHandle (hObject=0x210) returned 1 [0105.954] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0105.955] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.955] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.955] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0105.955] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0105.955] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0105.955] CloseHandle (hObject=0x210) returned 1 [0105.956] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0105.956] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.956] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0105.956] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0105.957] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0105.957] CloseHandle (hObject=0x210) returned 1 [0105.957] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0105.957] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.957] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.958] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0105.958] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0105.958] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0105.958] CloseHandle (hObject=0x210) returned 1 [0105.958] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0105.959] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.959] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.959] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0105.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0105.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0105.959] CloseHandle (hObject=0x210) returned 1 [0105.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0105.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0105.960] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0105.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0105.960] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0105.960] GetLastError () returned 0x1f [0105.960] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0105.960] CloseHandle (hObject=0x210) returned 1 [0106.085] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0106.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0106.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0106.087] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0106.087] CloseHandle (hObject=0x210) returned 1 [0106.087] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0106.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0106.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0106.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0106.088] CloseHandle (hObject=0x210) returned 1 [0106.089] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0106.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0106.094] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0106.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0106.095] CloseHandle (hObject=0x210) returned 1 [0106.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0106.097] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0106.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0106.098] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0106.099] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.100] CloseHandle (hObject=0x210) returned 1 [0106.100] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0106.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0106.101] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0106.102] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0106.102] CloseHandle (hObject=0x210) returned 1 [0106.102] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0106.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0106.103] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0106.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0106.104] CloseHandle (hObject=0x210) returned 1 [0106.104] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0106.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0106.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0106.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0106.106] CloseHandle (hObject=0x210) returned 1 [0106.106] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0106.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0106.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0106.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0106.109] CloseHandle (hObject=0x210) returned 1 [0106.109] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0106.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0106.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0106.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0106.112] CloseHandle (hObject=0x210) returned 1 [0106.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0106.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0106.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0106.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0106.114] CloseHandle (hObject=0x210) returned 1 [0106.114] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0106.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0106.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0106.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0106.115] CloseHandle (hObject=0x210) returned 1 [0106.115] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0106.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.116] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.116] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0106.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0106.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0106.117] CloseHandle (hObject=0x210) returned 1 [0106.117] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0106.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.118] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0106.118] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0106.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0106.119] CloseHandle (hObject=0x210) returned 1 [0106.119] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0106.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0106.120] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0106.120] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0106.120] CloseHandle (hObject=0x210) returned 1 [0106.120] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0106.121] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.121] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.121] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0106.121] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0106.122] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0106.122] CloseHandle (hObject=0x210) returned 1 [0106.122] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0106.122] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.123] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.123] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0106.123] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0106.123] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0106.123] CloseHandle (hObject=0x210) returned 1 [0106.123] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0106.124] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.124] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.124] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0106.124] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0106.124] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0106.125] CloseHandle (hObject=0x210) returned 1 [0106.125] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0106.125] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.126] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.126] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0106.126] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0106.126] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0106.218] CloseHandle (hObject=0x210) returned 1 [0106.218] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0106.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0106.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0106.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0106.220] CloseHandle (hObject=0x210) returned 1 [0106.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0106.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0106.222] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0106.222] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0106.222] CloseHandle (hObject=0x210) returned 1 [0106.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0106.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0106.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0106.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0106.224] CloseHandle (hObject=0x210) returned 1 [0106.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0106.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0106.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0106.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0106.226] CloseHandle (hObject=0x210) returned 1 [0106.226] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0106.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0106.227] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.228] CloseHandle (hObject=0x210) returned 1 [0106.228] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0106.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0106.230] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0106.230] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0106.230] CloseHandle (hObject=0x210) returned 1 [0106.230] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0106.232] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.232] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.232] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0106.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.232] CloseHandle (hObject=0x210) returned 1 [0106.233] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0106.234] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.234] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.234] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0106.234] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0106.235] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0106.235] CloseHandle (hObject=0x210) returned 1 [0106.235] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0106.237] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.237] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.237] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0106.237] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0106.237] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0106.237] CloseHandle (hObject=0x210) returned 1 [0106.238] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0106.239] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.239] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.239] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0106.239] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.240] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.240] CloseHandle (hObject=0x210) returned 1 [0106.240] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0106.241] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.241] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.241] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0106.241] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0106.242] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0106.242] CloseHandle (hObject=0x210) returned 1 [0106.242] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0106.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0106.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0106.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0106.244] CloseHandle (hObject=0x210) returned 1 [0106.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0106.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0106.246] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0106.246] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0106.247] CloseHandle (hObject=0x210) returned 1 [0106.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0106.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0106.248] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0106.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0106.249] CloseHandle (hObject=0x210) returned 1 [0106.249] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0106.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0106.251] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0106.251] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0106.251] CloseHandle (hObject=0x210) returned 1 [0106.251] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0106.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0106.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0106.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0106.413] CloseHandle (hObject=0x210) returned 1 [0106.413] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0106.414] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0106.415] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0106.415] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0106.415] CloseHandle (hObject=0x210) returned 1 [0106.415] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0106.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.417] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0106.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.418] CloseHandle (hObject=0x210) returned 1 [0106.418] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0106.419] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0106.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.420] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.420] CloseHandle (hObject=0x210) returned 1 [0106.420] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0106.421] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.421] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.422] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0106.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0106.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0106.422] CloseHandle (hObject=0x210) returned 1 [0106.422] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0106.424] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.424] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0106.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0106.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0106.425] CloseHandle (hObject=0x210) returned 1 [0106.425] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0106.426] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.426] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.426] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0106.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0106.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0106.427] CloseHandle (hObject=0x210) returned 1 [0106.427] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0106.428] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0106.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0106.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0106.429] CloseHandle (hObject=0x210) returned 1 [0106.429] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0106.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0106.430] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.431] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.431] CloseHandle (hObject=0x210) returned 1 [0106.431] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0106.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.432] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.432] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0106.433] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0106.433] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0106.433] CloseHandle (hObject=0x210) returned 1 [0106.433] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0106.434] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.435] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.435] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0106.435] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.435] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0106.435] CloseHandle (hObject=0x210) returned 1 [0106.435] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0106.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.437] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.437] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0106.437] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0106.437] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0106.438] CloseHandle (hObject=0x210) returned 1 [0106.438] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0106.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0106.439] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0106.440] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0106.440] CloseHandle (hObject=0x210) returned 1 [0106.440] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0106.441] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.441] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0106.441] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0106.442] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0106.442] CloseHandle (hObject=0x210) returned 1 [0106.442] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0106.443] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.443] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.443] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0106.444] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0106.444] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0106.444] CloseHandle (hObject=0x210) returned 1 [0106.444] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0106.445] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0106.448] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0106.448] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0106.449] CloseHandle (hObject=0x210) returned 1 [0106.449] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0106.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0106.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0106.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0106.451] CloseHandle (hObject=0x210) returned 1 [0106.451] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0106.452] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0106.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0106.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0106.453] CloseHandle (hObject=0x210) returned 1 [0106.453] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0106.454] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.568] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0106.568] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0106.568] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0106.568] CloseHandle (hObject=0x210) returned 1 [0106.569] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0106.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.570] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.570] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0106.570] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0106.571] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0106.571] CloseHandle (hObject=0x210) returned 1 [0106.571] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0106.572] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.572] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.572] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0106.572] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0106.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0106.573] CloseHandle (hObject=0x210) returned 1 [0106.573] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0106.574] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.574] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.574] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0106.574] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0106.575] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0106.575] CloseHandle (hObject=0x210) returned 1 [0106.575] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0106.576] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.576] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.576] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0106.576] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0106.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0106.577] CloseHandle (hObject=0x210) returned 1 [0106.577] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0106.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0106.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0106.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0106.579] CloseHandle (hObject=0x210) returned 1 [0106.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0106.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0106.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0106.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0106.581] CloseHandle (hObject=0x210) returned 1 [0106.581] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0106.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0106.582] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0106.583] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0106.583] CloseHandle (hObject=0x210) returned 1 [0106.583] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0106.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.584] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0106.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0106.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0106.585] CloseHandle (hObject=0x210) returned 1 [0106.585] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0106.586] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.586] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0106.586] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0106.587] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0106.587] CloseHandle (hObject=0x210) returned 1 [0106.587] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0106.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0106.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0106.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0106.589] CloseHandle (hObject=0x210) returned 1 [0106.589] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0106.590] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0106.590] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0106.590] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0106.591] CloseHandle (hObject=0x210) returned 1 [0106.591] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0106.592] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.592] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.592] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0106.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0106.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0106.592] CloseHandle (hObject=0x210) returned 1 [0106.592] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0106.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0106.594] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0106.594] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0106.594] CloseHandle (hObject=0x210) returned 1 [0106.594] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0106.595] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.595] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0106.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0106.596] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0106.596] CloseHandle (hObject=0x210) returned 1 [0106.596] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0106.597] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.597] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.597] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0106.597] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0106.597] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0106.597] CloseHandle (hObject=0x210) returned 1 [0106.597] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0106.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0106.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0106.599] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0106.599] CloseHandle (hObject=0x210) returned 1 [0106.599] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0106.600] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.600] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.600] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0106.600] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0106.601] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0106.601] CloseHandle (hObject=0x210) returned 1 [0106.601] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0106.602] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.602] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.602] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0106.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0106.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0106.603] CloseHandle (hObject=0x210) returned 1 [0106.603] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0106.604] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.604] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.604] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0106.604] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.604] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.604] CloseHandle (hObject=0x210) returned 1 [0106.605] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0106.606] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.606] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.606] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0106.606] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0106.606] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0106.606] CloseHandle (hObject=0x210) returned 1 [0106.606] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0106.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a0) returned 0x210 [0106.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.608] CloseHandle (hObject=0x210) returned 1 [0106.608] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0106.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0106.609] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0106.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0106.610] CloseHandle (hObject=0x210) returned 1 [0106.610] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0106.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0106.674] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0106.675] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0106.675] CloseHandle (hObject=0x210) returned 1 [0106.675] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0106.676] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0106.676] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0106.677] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0106.677] CloseHandle (hObject=0x210) returned 1 [0106.677] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0106.678] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0106.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0106.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0106.679] CloseHandle (hObject=0x210) returned 1 [0106.679] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0106.680] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.680] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.680] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0106.680] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0106.680] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0106.680] CloseHandle (hObject=0x210) returned 1 [0106.680] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0106.681] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0106.682] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0106.682] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0106.682] CloseHandle (hObject=0x210) returned 1 [0106.682] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0106.683] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.683] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.683] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0106.683] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0106.684] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0106.684] CloseHandle (hObject=0x210) returned 1 [0106.684] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0106.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.685] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0106.685] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0106.685] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0106.686] CloseHandle (hObject=0x210) returned 1 [0106.686] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x112c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svsxchost.exe")) returned 1 [0106.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x112c) returned 0x0 [0106.687] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0106.688] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.688] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.688] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0106.688] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0106.688] GetLastError () returned 0x1f [0106.688] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0106.688] CloseHandle (hObject=0x210) returned 1 [0106.703] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.705] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0106.705] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.705] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.705] CloseHandle (hObject=0x210) returned 1 [0106.706] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0106.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0106.707] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0106.707] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0106.707] CloseHandle (hObject=0x210) returned 1 [0106.707] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.708] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.708] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0106.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0106.709] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0106.709] CloseHandle (hObject=0x210) returned 1 [0106.709] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0106.710] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0106.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0106.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0106.711] CloseHandle (hObject=0x210) returned 1 [0106.711] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0106.711] CloseHandle (hObject=0x20c) returned 1 [0106.712] Sleep (dwMilliseconds=0x1) [0106.815] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0106.815] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x334de8, cbMultiByte=26, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="agntsvc.exeisqlplussvc.exe") returned 26 [0106.818] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exet.exe", lpUsedDefaultChar=0x0) returned 26 [0106.819] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0106.820] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeexeisqlplussvc.exet.exe", lpUsedDefaultChar=0x0) returned 12 [0106.820] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0106.834] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0106.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.835] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0106.838] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exeplorer.exeexeisqlplussvc.exet.exe", lpUsedDefaultChar=0x0) returned 26 [0106.838] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0106.839] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.839] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.839] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0106.839] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 0 [0106.839] GetLastError () returned 0x1f [0106.840] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 0 [0106.840] CloseHandle (hObject=0x210) returned 1 [0106.847] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0106.848] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.848] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.848] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0106.849] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0106.849] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0106.849] CloseHandle (hObject=0x210) returned 1 [0106.849] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.850] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.850] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.850] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0106.850] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0106.851] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.851] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.851] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0106.851] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0106.852] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0106.852] CloseHandle (hObject=0x210) returned 1 [0106.852] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0106.853] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.853] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.853] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0106.853] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0106.854] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0106.854] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0106.854] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0106.855] CloseHandle (hObject=0x210) returned 1 [0106.855] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0106.855] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.856] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.856] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0106.856] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0106.856] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0106.856] CloseHandle (hObject=0x210) returned 1 [0106.856] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0106.857] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.857] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.857] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0106.857] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0106.858] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0106.858] CloseHandle (hObject=0x210) returned 1 [0106.858] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.859] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.859] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.859] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0106.859] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.859] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.859] CloseHandle (hObject=0x210) returned 1 [0106.859] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0106.860] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.860] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.860] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0106.914] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0106.915] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.915] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.915] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0106.915] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.916] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.916] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.916] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0106.916] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.916] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.917] CloseHandle (hObject=0x210) returned 1 [0106.917] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0106.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.918] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.918] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0106.918] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.918] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.919] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.919] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0106.919] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.919] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.919] CloseHandle (hObject=0x210) returned 1 [0106.919] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.920] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.920] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.920] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0106.920] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.920] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.920] CloseHandle (hObject=0x210) returned 1 [0106.920] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0106.921] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.921] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.922] CloseHandle (hObject=0x210) returned 1 [0106.922] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.922] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.922] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.922] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0106.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.923] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.923] CloseHandle (hObject=0x210) returned 1 [0106.923] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.924] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.924] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.924] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0106.924] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.924] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.924] CloseHandle (hObject=0x210) returned 1 [0106.925] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.925] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.925] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.925] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0106.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.926] CloseHandle (hObject=0x210) returned 1 [0106.926] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.926] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.926] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.926] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0106.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.927] CloseHandle (hObject=0x210) returned 1 [0106.927] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.928] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.928] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.928] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0106.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.928] CloseHandle (hObject=0x210) returned 1 [0106.928] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.929] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.929] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.929] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0106.929] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.929] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.929] CloseHandle (hObject=0x210) returned 1 [0106.929] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.930] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.930] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.930] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0106.930] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.930] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.931] CloseHandle (hObject=0x210) returned 1 [0106.931] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.931] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.931] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.931] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0106.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.932] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.932] CloseHandle (hObject=0x210) returned 1 [0106.932] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0106.938] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.938] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.939] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0106.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0106.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0106.943] CloseHandle (hObject=0x210) returned 1 [0106.943] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0106.944] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.944] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.944] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0106.944] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0106.944] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0106.944] CloseHandle (hObject=0x210) returned 1 [0106.944] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0106.945] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.945] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.952] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0106.952] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0106.952] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0106.952] CloseHandle (hObject=0x210) returned 1 [0106.952] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0106.953] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.953] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.954] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0106.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0106.955] CloseHandle (hObject=0x210) returned 1 [0106.955] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0106.956] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.956] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0106.956] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.956] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0106.956] CloseHandle (hObject=0x210) returned 1 [0106.956] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0106.957] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.957] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.957] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0106.957] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0106.957] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0106.958] CloseHandle (hObject=0x210) returned 1 [0106.958] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0106.959] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.959] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.959] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0106.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0106.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0106.959] CloseHandle (hObject=0x210) returned 1 [0106.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0106.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.960] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0106.961] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0106.961] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0106.961] CloseHandle (hObject=0x210) returned 1 [0106.961] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0106.962] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0106.962] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0106.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0106.962] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0106.962] GetLastError () returned 0x1f [0106.962] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0106.963] CloseHandle (hObject=0x210) returned 1 [0107.151] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0107.152] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.152] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.152] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0107.152] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0107.153] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0107.153] CloseHandle (hObject=0x210) returned 1 [0107.153] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0107.154] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.154] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.154] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0107.154] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0107.154] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0107.155] CloseHandle (hObject=0x210) returned 1 [0107.155] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0107.155] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.156] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.156] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0107.156] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0107.156] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0107.156] CloseHandle (hObject=0x210) returned 1 [0107.156] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0107.157] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.157] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0107.157] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0107.158] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.158] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.158] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0107.158] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.159] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.159] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.159] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0107.159] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.160] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.160] CloseHandle (hObject=0x210) returned 1 [0107.160] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0107.161] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.161] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.161] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0107.161] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0107.162] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0107.162] CloseHandle (hObject=0x210) returned 1 [0107.162] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0107.163] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.163] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.163] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0107.163] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0107.163] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0107.163] CloseHandle (hObject=0x210) returned 1 [0107.164] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0107.164] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.165] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.165] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0107.165] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0107.165] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0107.165] CloseHandle (hObject=0x210) returned 1 [0107.165] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0107.166] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.166] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.166] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0107.166] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0107.167] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0107.167] CloseHandle (hObject=0x210) returned 1 [0107.167] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0107.168] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.168] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.168] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0107.168] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0107.168] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0107.168] CloseHandle (hObject=0x210) returned 1 [0107.169] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0107.169] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.170] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.170] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0107.170] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0107.170] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0107.170] CloseHandle (hObject=0x210) returned 1 [0107.170] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0107.171] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.171] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.171] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0107.171] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0107.171] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0107.172] CloseHandle (hObject=0x210) returned 1 [0107.172] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0107.173] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.173] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0107.173] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0107.173] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0107.173] CloseHandle (hObject=0x210) returned 1 [0107.174] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0107.174] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.174] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.174] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0107.175] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0107.175] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0107.175] CloseHandle (hObject=0x210) returned 1 [0107.175] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0107.176] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.176] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.176] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0107.176] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0107.177] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0107.177] CloseHandle (hObject=0x210) returned 1 [0107.177] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0107.178] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.178] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.178] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0107.178] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0107.178] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0107.178] CloseHandle (hObject=0x210) returned 1 [0107.179] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0107.179] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.179] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.180] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0107.180] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0107.180] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0107.180] CloseHandle (hObject=0x210) returned 1 [0107.180] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0107.181] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.181] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.181] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0107.181] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0107.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0107.182] CloseHandle (hObject=0x210) returned 1 [0107.182] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0107.183] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.183] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.183] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0107.183] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0107.183] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0107.184] CloseHandle (hObject=0x210) returned 1 [0107.184] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0107.185] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0107.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0107.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0107.185] CloseHandle (hObject=0x210) returned 1 [0107.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0107.186] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.186] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0107.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0107.187] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0107.187] CloseHandle (hObject=0x210) returned 1 [0107.187] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0107.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0107.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0107.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0107.296] CloseHandle (hObject=0x210) returned 1 [0107.296] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0107.297] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0107.297] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0107.298] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0107.331] CloseHandle (hObject=0x210) returned 1 [0107.333] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ko_ferrari_inspired.exe", cchWideChar=23, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ko_ferrari_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 23 [0107.337] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exee famous.exe", lpUsedDefaultChar=0x0) returned 26 [0107.337] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0107.338] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.338] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0107.338] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.339] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.339] CloseHandle (hObject=0x210) returned 1 [0107.340] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3dftp.exeqlplussvc.exee famous.exe", lpUsedDefaultChar=0x0) returned 9 [0107.343] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exee famous.exe", lpUsedDefaultChar=0x0) returned 26 [0107.343] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0107.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.346] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0107.346] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0107.347] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0107.347] CloseHandle (hObject=0x210) returned 1 [0107.349] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="absolutetelnet.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="absolutetelnet.exe.exee famous.exe", lpUsedDefaultChar=0x0) returned 18 [0107.351] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0107.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.353] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.353] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0107.353] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.353] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.353] CloseHandle (hObject=0x210) returned 1 [0107.354] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0107.355] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.355] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.355] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0107.355] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0107.356] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0107.356] CloseHandle (hObject=0x210) returned 1 [0107.356] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0107.357] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.357] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.357] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0107.357] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0107.358] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0107.358] CloseHandle (hObject=0x210) returned 1 [0107.358] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0107.359] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.360] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.360] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0107.360] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.360] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.360] CloseHandle (hObject=0x210) returned 1 [0107.533] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0107.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0107.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0107.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0107.535] CloseHandle (hObject=0x210) returned 1 [0107.535] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0107.536] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0107.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0107.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0107.537] CloseHandle (hObject=0x210) returned 1 [0107.537] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0107.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0107.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0107.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0107.538] CloseHandle (hObject=0x210) returned 1 [0107.538] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0107.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.539] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.539] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0107.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0107.540] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0107.540] CloseHandle (hObject=0x210) returned 1 [0107.540] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0107.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0107.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0107.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0107.542] CloseHandle (hObject=0x210) returned 1 [0107.542] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0107.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0107.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0107.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0107.543] CloseHandle (hObject=0x210) returned 1 [0107.543] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0107.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0107.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0107.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0107.545] CloseHandle (hObject=0x210) returned 1 [0107.545] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0107.546] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0107.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.546] CloseHandle (hObject=0x210) returned 1 [0107.546] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0107.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.548] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.548] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0107.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.548] CloseHandle (hObject=0x210) returned 1 [0107.548] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0107.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0107.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0107.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0107.550] CloseHandle (hObject=0x210) returned 1 [0107.550] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0107.551] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.551] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.551] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0107.551] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0107.551] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0107.552] CloseHandle (hObject=0x210) returned 1 [0107.552] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0107.553] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.553] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.553] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0107.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0107.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0107.553] CloseHandle (hObject=0x210) returned 1 [0107.553] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0107.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0107.554] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0107.554] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0107.555] CloseHandle (hObject=0x210) returned 1 [0107.555] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0107.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0107.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.556] CloseHandle (hObject=0x210) returned 1 [0107.556] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0107.557] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.557] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.557] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0107.557] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0107.558] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0107.558] CloseHandle (hObject=0x210) returned 1 [0107.558] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0107.559] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.559] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.559] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0107.559] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.559] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0107.559] CloseHandle (hObject=0x210) returned 1 [0107.560] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0107.560] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0107.561] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0107.561] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0107.561] CloseHandle (hObject=0x210) returned 1 [0107.561] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0107.562] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.562] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.562] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0107.562] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0107.563] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0107.563] CloseHandle (hObject=0x210) returned 1 [0107.563] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0107.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0107.565] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0107.565] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0107.565] CloseHandle (hObject=0x210) returned 1 [0107.565] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0107.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0107.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0107.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0107.567] CloseHandle (hObject=0x210) returned 1 [0107.567] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0107.568] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.568] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.568] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0107.568] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0107.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0107.569] CloseHandle (hObject=0x210) returned 1 [0107.569] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0107.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0107.571] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0107.571] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0107.572] CloseHandle (hObject=0x210) returned 1 [0107.572] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0107.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0107.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0107.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0107.574] CloseHandle (hObject=0x210) returned 1 [0107.574] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0107.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0107.575] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0107.575] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0107.575] CloseHandle (hObject=0x210) returned 1 [0107.575] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0107.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0107.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0107.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0107.577] CloseHandle (hObject=0x210) returned 1 [0107.577] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0107.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0107.579] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0107.579] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0107.579] CloseHandle (hObject=0x210) returned 1 [0107.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0107.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0107.631] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0107.632] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0107.632] CloseHandle (hObject=0x210) returned 1 [0107.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0107.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0107.633] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0107.633] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0107.633] CloseHandle (hObject=0x210) returned 1 [0107.633] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0107.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0107.634] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0107.635] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0107.635] CloseHandle (hObject=0x210) returned 1 [0107.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0107.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.636] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0107.636] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0107.636] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0107.637] CloseHandle (hObject=0x210) returned 1 [0107.637] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0107.637] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0107.638] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0107.638] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0107.638] CloseHandle (hObject=0x210) returned 1 [0107.638] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0107.639] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.639] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.639] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0107.639] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0107.639] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0107.640] CloseHandle (hObject=0x210) returned 1 [0107.640] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0107.641] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.641] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0107.641] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0107.641] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0107.641] CloseHandle (hObject=0x210) returned 1 [0107.641] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0107.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0107.642] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0107.643] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0107.643] CloseHandle (hObject=0x210) returned 1 [0107.643] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0107.644] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.644] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0107.644] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0107.644] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0107.645] CloseHandle (hObject=0x210) returned 1 [0107.645] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0107.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.646] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0107.646] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0107.646] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0107.646] CloseHandle (hObject=0x210) returned 1 [0107.646] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0107.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.647] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0107.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0107.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0107.648] CloseHandle (hObject=0x210) returned 1 [0107.648] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0107.649] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.649] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0107.649] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0107.650] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0107.650] CloseHandle (hObject=0x210) returned 1 [0107.650] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0107.651] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.651] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.651] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0107.651] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0107.651] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0107.652] CloseHandle (hObject=0x210) returned 1 [0107.652] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0107.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.653] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0107.653] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0107.653] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0107.653] CloseHandle (hObject=0x210) returned 1 [0107.653] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0107.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0107.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0107.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0107.654] CloseHandle (hObject=0x210) returned 1 [0107.654] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0107.655] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.655] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.655] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0107.655] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0107.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0107.656] CloseHandle (hObject=0x210) returned 1 [0107.656] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0107.657] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.657] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.657] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0107.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0107.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0107.657] CloseHandle (hObject=0x210) returned 1 [0107.659] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exeussvc.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 13 [0107.661] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 26 [0107.661] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0107.662] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.662] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.662] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0107.662] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0107.663] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0107.663] CloseHandle (hObject=0x210) returned 1 [0107.664] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="UsoClient.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UsoClient.exeussvc.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 13 [0107.667] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="agntsvc.exeisqlplussvc.exe", cchWideChar=26, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agntsvc.exeisqlplussvc.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 26 [0107.667] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0107.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a0) returned 0x210 [0107.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0107.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0107.668] CloseHandle (hObject=0x210) returned 1 [0107.670] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exeussvc.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 13 [0107.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0107.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0107.738] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0107.738] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0107.738] CloseHandle (hObject=0x210) returned 1 [0107.738] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0107.739] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.739] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.739] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0107.739] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0107.740] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0107.740] CloseHandle (hObject=0x210) returned 1 [0107.740] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0107.741] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.741] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.741] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0107.741] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0107.741] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0107.741] CloseHandle (hObject=0x210) returned 1 [0107.741] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0107.742] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.742] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.742] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0107.742] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0107.743] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0107.743] CloseHandle (hObject=0x210) returned 1 [0107.743] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0107.744] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.744] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0107.745] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0107.746] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0107.746] CloseHandle (hObject=0x210) returned 1 [0107.746] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0107.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.747] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0107.747] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0107.748] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0107.748] CloseHandle (hObject=0x210) returned 1 [0107.748] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0107.749] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.749] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.749] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0107.749] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0107.749] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0107.749] CloseHandle (hObject=0x210) returned 1 [0107.749] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0107.750] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.750] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.750] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0107.751] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0107.751] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0107.751] CloseHandle (hObject=0x210) returned 1 [0107.751] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0107.753] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.753] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.753] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0107.753] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0107.753] GetLastError () returned 0x1f [0107.753] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0107.753] CloseHandle (hObject=0x210) returned 1 [0107.766] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.767] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.767] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.768] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0107.768] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.768] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.768] CloseHandle (hObject=0x210) returned 1 [0107.768] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0107.769] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.769] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0107.769] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0107.769] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0107.769] CloseHandle (hObject=0x210) returned 1 [0107.770] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0107.770] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.770] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.770] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0107.770] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0107.771] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0107.771] CloseHandle (hObject=0x210) returned 1 [0107.771] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0107.772] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.772] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.772] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0107.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0107.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0107.772] CloseHandle (hObject=0x210) returned 1 [0107.772] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0107.773] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.773] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.773] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0107.773] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0107.773] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0107.774] CloseHandle (hObject=0x210) returned 1 [0107.774] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0107.774] CloseHandle (hObject=0x20c) returned 1 [0107.774] Sleep (dwMilliseconds=0x1) [0107.811] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0107.811] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359768, cbMultiByte=9, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="anvir.exexeisqlplussvc.exe") returned 9 [0107.812] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe", lpUsedDefaultChar=0x0) returned 9 [0107.812] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0107.814] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exee", lpUsedDefaultChar=0x0) returned 12 [0107.814] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0107.822] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0107.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0107.824] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe", lpUsedDefaultChar=0x0) returned 9 [0107.824] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0107.824] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.824] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0107.824] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0107.824] GetLastError () returned 0x1f [0107.825] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0107.825] CloseHandle (hObject=0x210) returned 1 [0107.834] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0107.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.835] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0107.835] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0107.836] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0107.836] CloseHandle (hObject=0x210) returned 1 [0107.836] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.838] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.838] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0107.838] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0107.840] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.840] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.840] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0107.840] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0107.840] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0107.841] CloseHandle (hObject=0x210) returned 1 [0107.841] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0107.841] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.842] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.842] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0107.842] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0107.842] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.842] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.843] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0107.843] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0107.843] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0107.843] CloseHandle (hObject=0x210) returned 1 [0107.843] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0107.844] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.844] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.844] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0107.844] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0107.844] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0107.844] CloseHandle (hObject=0x210) returned 1 [0107.844] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0107.901] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.901] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0107.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0107.903] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0107.904] CloseHandle (hObject=0x210) returned 1 [0107.906] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exeexe", lpUsedDefaultChar=0x0) returned 9 [0107.907] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe.exeexe", lpUsedDefaultChar=0x0) returned 9 [0107.907] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0107.908] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.909] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.909] CloseHandle (hObject=0x210) returned 1 [0107.910] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0107.912] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exee", lpUsedDefaultChar=0x0) returned 9 [0107.912] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0107.913] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.913] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.913] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0107.915] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0107.920] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exee", lpUsedDefaultChar=0x0) returned 9 [0107.920] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0107.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.924] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.924] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0107.944] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0107.945] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exee", lpUsedDefaultChar=0x0) returned 9 [0107.945] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.946] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.946] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.946] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0107.946] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.947] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.947] CloseHandle (hObject=0x210) returned 1 [0107.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0107.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exee", lpUsedDefaultChar=0x0) returned 9 [0107.949] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0107.950] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.950] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.950] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0107.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0107.952] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.953] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.953] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.953] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0107.953] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.954] CloseHandle (hObject=0x210) returned 1 [0107.955] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.956] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.956] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.957] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0107.957] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.957] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.957] CloseHandle (hObject=0x210) returned 1 [0107.958] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.958] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.958] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.958] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0107.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.959] CloseHandle (hObject=0x210) returned 1 [0107.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.960] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0107.960] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.961] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.961] CloseHandle (hObject=0x210) returned 1 [0107.961] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.962] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.962] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0107.962] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.962] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.963] CloseHandle (hObject=0x210) returned 1 [0107.963] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.963] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.963] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.963] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0107.964] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.964] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.964] CloseHandle (hObject=0x210) returned 1 [0107.964] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.965] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.965] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.965] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0107.965] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.965] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.965] CloseHandle (hObject=0x210) returned 1 [0107.965] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.966] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.966] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.966] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0107.966] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.966] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.966] CloseHandle (hObject=0x210) returned 1 [0107.966] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.967] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.967] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.967] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0107.967] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.967] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.968] CloseHandle (hObject=0x210) returned 1 [0107.968] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.968] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.968] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.968] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0107.968] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.969] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0107.969] CloseHandle (hObject=0x210) returned 1 [0107.969] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0107.970] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0107.970] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0107.970] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0107.970] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.060] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.061] CloseHandle (hObject=0x210) returned 1 [0108.062] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.064] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0108.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0108.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0108.070] CloseHandle (hObject=0x210) returned 1 [0108.078] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exee", lpUsedDefaultChar=0x0) returned 11 [0108.081] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exesv.exee", lpUsedDefaultChar=0x0) returned 9 [0108.081] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.083] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0108.087] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0108.087] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0108.088] CloseHandle (hObject=0x210) returned 1 [0108.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exee", lpUsedDefaultChar=0x0) returned 11 [0108.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exedg.exee", lpUsedDefaultChar=0x0) returned 9 [0108.097] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0108.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0108.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0108.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0108.098] CloseHandle (hObject=0x210) returned 1 [0108.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sihost.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sihost.exeee", lpUsedDefaultChar=0x0) returned 10 [0108.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exet.exeee", lpUsedDefaultChar=0x0) returned 9 [0108.101] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0108.102] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.102] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.103] CloseHandle (hObject=0x210) returned 1 [0108.104] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0108.105] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exee", lpUsedDefaultChar=0x0) returned 9 [0108.105] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0108.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0108.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0108.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0108.107] CloseHandle (hObject=0x210) returned 1 [0108.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exee", lpUsedDefaultChar=0x0) returned 13 [0108.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeostw.exee", lpUsedDefaultChar=0x0) returned 9 [0108.109] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0108.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0108.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0108.111] CloseHandle (hObject=0x210) returned 1 [0108.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0108.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0108.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0108.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0108.114] CloseHandle (hObject=0x210) returned 1 [0108.115] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0108.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0108.116] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0108.116] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0108.116] CloseHandle (hObject=0x210) returned 1 [0108.116] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0108.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0108.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0108.117] GetLastError () returned 0x1f [0108.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0108.117] CloseHandle (hObject=0x210) returned 1 [0108.256] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0108.257] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.257] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0108.257] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0108.258] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0108.258] CloseHandle (hObject=0x210) returned 1 [0108.258] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0108.259] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.259] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.259] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0108.259] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0108.259] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0108.260] CloseHandle (hObject=0x210) returned 1 [0108.260] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0108.261] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.261] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.261] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0108.261] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0108.261] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0108.261] CloseHandle (hObject=0x210) returned 1 [0108.261] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0108.262] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.262] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.262] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0108.262] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0108.263] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.263] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.263] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0108.263] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.265] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.265] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.265] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0108.265] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.265] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0108.265] CloseHandle (hObject=0x210) returned 1 [0108.265] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0108.266] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0108.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0108.267] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0108.267] CloseHandle (hObject=0x210) returned 1 [0108.267] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0108.268] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.268] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.268] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0108.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0108.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0108.268] CloseHandle (hObject=0x210) returned 1 [0108.268] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0108.269] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.269] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.269] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0108.269] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0108.269] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0108.270] CloseHandle (hObject=0x210) returned 1 [0108.270] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0108.270] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.271] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.271] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0108.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0108.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0108.271] CloseHandle (hObject=0x210) returned 1 [0108.271] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0108.272] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.272] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.272] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0108.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0108.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0108.273] CloseHandle (hObject=0x210) returned 1 [0108.273] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0108.274] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.274] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.274] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0108.274] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0108.274] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0108.275] CloseHandle (hObject=0x210) returned 1 [0108.275] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0108.276] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.276] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.276] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0108.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0108.277] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0108.277] CloseHandle (hObject=0x210) returned 1 [0108.277] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0108.278] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0108.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0108.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0108.278] CloseHandle (hObject=0x210) returned 1 [0108.278] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0108.279] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.279] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.279] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0108.279] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0108.279] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0108.279] CloseHandle (hObject=0x210) returned 1 [0108.280] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0108.280] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.280] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0108.280] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0108.281] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0108.281] CloseHandle (hObject=0x210) returned 1 [0108.281] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0108.282] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.282] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.282] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0108.282] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0108.283] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0108.283] CloseHandle (hObject=0x210) returned 1 [0108.285] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="properly.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="properly.exetures.exet.exe", lpUsedDefaultChar=0x0) returned 12 [0108.286] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exerly.exetures.exet.exe", lpUsedDefaultChar=0x0) returned 9 [0108.286] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0108.287] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.287] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.287] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0108.287] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0108.287] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0108.287] CloseHandle (hObject=0x210) returned 1 [0108.288] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="revenue.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="revenue.exeetures.exet.exe", lpUsedDefaultChar=0x0) returned 11 [0108.290] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeue.exeetures.exet.exe", lpUsedDefaultChar=0x0) returned 9 [0108.290] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0108.290] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.290] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.290] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0108.291] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0108.291] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0108.291] CloseHandle (hObject=0x210) returned 1 [0108.294] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="awards-dentists-likewise.exe", cchWideChar=28, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="awards-dentists-likewise.exe", lpUsedDefaultChar=0x0) returned 28 [0108.295] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exes-dentists-likewise.exe", lpUsedDefaultChar=0x0) returned 9 [0108.296] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0108.296] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0108.297] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0108.297] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0108.297] CloseHandle (hObject=0x210) returned 1 [0108.382] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="commissions_cannon.exe", cchWideChar=22, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="commissions_cannon.exese.exe", lpUsedDefaultChar=0x0) returned 22 [0108.391] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exessions_cannon.exese.exe", lpUsedDefaultChar=0x0) returned 9 [0108.391] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0108.396] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.397] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.397] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0108.401] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0108.402] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0108.403] CloseHandle (hObject=0x210) returned 1 [0108.405] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0108.406] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.406] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0108.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0108.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0108.406] CloseHandle (hObject=0x210) returned 1 [0108.407] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0108.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.408] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0108.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0108.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0108.408] CloseHandle (hObject=0x210) returned 1 [0108.408] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0108.409] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.409] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0108.409] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0108.409] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0108.410] CloseHandle (hObject=0x210) returned 1 [0108.410] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0108.411] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.411] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.411] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0108.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.411] CloseHandle (hObject=0x210) returned 1 [0108.411] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0108.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0108.412] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0108.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0108.413] CloseHandle (hObject=0x210) returned 1 [0108.413] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0108.416] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.416] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0108.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.420] CloseHandle (hObject=0x210) returned 1 [0108.425] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alftp.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.429] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.429] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0108.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0108.439] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0108.440] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0108.440] CloseHandle (hObject=0x210) returned 1 [0108.441] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="barca.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.442] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exe.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.442] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0108.443] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.443] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.443] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0108.443] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0108.443] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0108.444] CloseHandle (hObject=0x210) returned 1 [0108.445] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0108.446] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exenex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.446] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0108.447] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.447] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0108.447] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.447] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.448] CloseHandle (hObject=0x210) returned 1 [0108.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0108.450] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exetp.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.450] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0108.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.451] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.451] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0108.451] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0108.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0108.452] CloseHandle (hObject=0x210) returned 1 [0108.453] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0108.454] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exexe.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.454] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0108.531] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.531] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.531] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0108.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0108.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0108.532] CloseHandle (hObject=0x210) returned 1 [0108.533] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0108.534] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0108.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0108.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0108.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0108.536] CloseHandle (hObject=0x210) returned 1 [0108.536] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0108.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0108.537] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0108.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0108.538] CloseHandle (hObject=0x210) returned 1 [0108.538] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0108.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.539] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.539] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0108.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0108.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0108.540] CloseHandle (hObject=0x210) returned 1 [0108.540] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0108.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0108.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0108.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0108.541] CloseHandle (hObject=0x210) returned 1 [0108.541] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0108.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0108.542] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0108.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0108.543] CloseHandle (hObject=0x210) returned 1 [0108.543] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0108.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0108.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.544] CloseHandle (hObject=0x210) returned 1 [0108.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0108.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0108.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.546] CloseHandle (hObject=0x210) returned 1 [0108.546] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0108.547] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.547] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.547] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0108.547] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0108.547] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0108.548] CloseHandle (hObject=0x210) returned 1 [0108.548] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0108.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0108.549] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0108.549] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0108.550] CloseHandle (hObject=0x210) returned 1 [0108.550] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0108.551] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.551] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.551] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0108.551] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0108.551] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0108.552] CloseHandle (hObject=0x210) returned 1 [0108.552] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0108.553] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.553] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.553] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0108.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0108.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0108.554] CloseHandle (hObject=0x210) returned 1 [0108.554] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0108.555] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.555] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.555] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0108.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.555] CloseHandle (hObject=0x210) returned 1 [0108.555] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0108.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0108.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0108.557] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0108.557] CloseHandle (hObject=0x210) returned 1 [0108.557] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0108.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0108.558] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.558] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0108.558] CloseHandle (hObject=0x210) returned 1 [0108.558] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0108.559] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.560] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.560] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0108.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0108.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0108.560] CloseHandle (hObject=0x210) returned 1 [0108.560] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0108.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0108.561] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0108.562] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0108.562] CloseHandle (hObject=0x210) returned 1 [0108.562] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0108.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0108.563] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0108.563] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0108.563] CloseHandle (hObject=0x210) returned 1 [0108.628] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0108.630] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeian.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.630] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0108.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0108.632] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0108.632] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0108.632] CloseHandle (hObject=0x210) returned 1 [0108.634] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0108.635] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeive.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0108.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.637] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0108.637] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0108.637] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0108.637] CloseHandle (hObject=0x210) returned 1 [0108.639] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0108.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.640] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0108.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0108.642] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0108.643] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0108.643] CloseHandle (hObject=0x210) returned 1 [0108.644] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0108.646] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exep.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.646] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0108.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.647] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0108.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0108.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0108.648] CloseHandle (hObject=0x210) returned 1 [0108.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0108.651] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exemessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.651] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0108.653] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.653] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0108.653] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0108.653] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0108.654] CloseHandle (hObject=0x210) returned 1 [0108.654] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0108.655] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.655] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.655] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0108.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0108.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0108.656] CloseHandle (hObject=0x210) returned 1 [0108.657] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0108.658] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0108.659] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0108.659] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0108.659] CloseHandle (hObject=0x210) returned 1 [0108.659] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0108.661] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.661] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0108.661] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0108.661] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0108.661] CloseHandle (hObject=0x210) returned 1 [0108.661] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0108.663] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.663] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.663] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0108.663] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0108.663] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0108.663] CloseHandle (hObject=0x210) returned 1 [0108.664] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0108.665] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.665] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.665] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0108.665] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0108.665] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0108.666] CloseHandle (hObject=0x210) returned 1 [0108.666] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0108.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0108.667] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0108.667] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0108.668] CloseHandle (hObject=0x210) returned 1 [0108.668] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0108.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0108.669] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0108.669] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0108.670] CloseHandle (hObject=0x210) returned 1 [0108.670] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0108.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0108.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0108.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0108.672] CloseHandle (hObject=0x210) returned 1 [0108.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0108.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.795] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.795] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0108.795] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0108.795] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0108.796] CloseHandle (hObject=0x210) returned 1 [0108.796] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0108.797] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.797] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.797] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0108.797] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0108.798] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0108.798] CloseHandle (hObject=0x210) returned 1 [0108.799] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0108.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.800] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.800] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0108.800] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0108.800] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0108.801] CloseHandle (hObject=0x210) returned 1 [0108.801] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0108.802] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.802] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.802] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0108.802] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0108.803] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0108.803] CloseHandle (hObject=0x210) returned 1 [0108.803] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0108.804] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.804] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.805] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0108.805] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0108.805] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0108.805] CloseHandle (hObject=0x210) returned 1 [0108.805] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0108.810] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.810] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.810] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0108.810] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0108.811] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0108.811] CloseHandle (hObject=0x210) returned 1 [0108.811] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0108.812] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.812] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.812] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0108.812] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0108.813] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0108.813] CloseHandle (hObject=0x210) returned 1 [0108.813] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0108.816] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.816] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0108.817] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0108.817] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0108.817] CloseHandle (hObject=0x210) returned 1 [0108.823] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="surface-freely.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="surface-freely.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0108.825] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exece-freely.exeexexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.825] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0108.826] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.826] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.826] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0108.826] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0108.827] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0108.827] CloseHandle (hObject=0x210) returned 1 [0108.939] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="virginia-converter-meal.exe", cchWideChar=27, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="virginia-converter-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 27 [0108.940] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exenia-converter-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.940] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0108.942] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.942] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.942] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0108.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0108.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0108.944] CloseHandle (hObject=0x210) returned 1 [0108.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smoking last.exe", cchWideChar=16, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smoking last.exeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 16 [0108.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeng last.exeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.948] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0108.949] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.949] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.949] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0108.949] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0108.950] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0108.950] CloseHandle (hObject=0x210) returned 1 [0108.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exeexeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 13 [0108.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeostw.exeexeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0108.953] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0108.954] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.954] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.954] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0108.954] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0108.955] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0108.955] CloseHandle (hObject=0x210) returned 1 [0108.956] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0108.957] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.957] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.957] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a0) returned 0x0 [0108.957] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0108.958] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.958] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.958] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0108.958] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0108.959] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0108.959] CloseHandle (hObject=0x210) returned 1 [0108.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0108.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.960] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.960] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0108.961] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0108.961] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0108.961] CloseHandle (hObject=0x210) returned 1 [0108.961] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0108.962] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.962] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0108.962] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0108.963] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0108.963] CloseHandle (hObject=0x210) returned 1 [0108.963] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0108.964] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.964] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.964] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0108.964] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0108.965] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0108.965] CloseHandle (hObject=0x210) returned 1 [0108.965] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0108.966] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.966] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.966] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0108.966] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0108.966] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0108.967] CloseHandle (hObject=0x210) returned 1 [0108.967] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0108.968] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.968] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.968] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0108.968] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0108.968] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0108.968] CloseHandle (hObject=0x210) returned 1 [0108.968] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0108.969] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.969] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.970] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0108.970] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0108.970] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0108.970] CloseHandle (hObject=0x210) returned 1 [0108.970] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0108.971] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.971] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.971] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0108.971] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0108.972] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0108.972] CloseHandle (hObject=0x210) returned 1 [0108.972] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0108.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0108.973] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0108.973] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0108.973] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0108.973] GetLastError () returned 0x1f [0108.973] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0108.974] CloseHandle (hObject=0x210) returned 1 [0109.084] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0109.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.086] CloseHandle (hObject=0x210) returned 1 [0109.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exetionVerifier.exe", lpUsedDefaultChar=0x0) returned 11 [0109.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exest.exetionVerifier.exe", lpUsedDefaultChar=0x0) returned 9 [0109.089] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0109.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0109.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0109.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0109.091] CloseHandle (hObject=0x210) returned 1 [0109.093] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WerFault.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WerFault.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 12 [0109.094] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeult.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 9 [0109.094] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0109.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0109.096] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0109.096] CloseHandle (hObject=0x210) returned 1 [0109.097] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 12 [0109.099] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exerer.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 9 [0109.099] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0109.100] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.100] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0109.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0109.101] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0109.101] CloseHandle (hObject=0x210) returned 1 [0109.102] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 11 [0109.103] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exead.exeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 9 [0109.103] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0109.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0109.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0109.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x6181c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0109.105] CloseHandle (hObject=0x210) returned 1 [0109.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WMIADAP.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WMIADAP.exeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 11 [0109.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir.exeAP.exeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 9 [0109.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0109.109] CloseHandle (hObject=0x20c) returned 1 [0109.109] Sleep (dwMilliseconds=0x1) [0109.169] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0109.169] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359798, cbMultiByte=11, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="anvir64.exeisqlplussvc.exe") returned 11 [0109.170] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0109.170] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0109.182] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0109.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.183] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.183] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0109.183] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0109.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.184] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0109.184] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0109.184] GetLastError () returned 0x1f [0109.184] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0109.184] CloseHandle (hObject=0x210) returned 1 [0109.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0109.185] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.186] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0109.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0109.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0109.186] CloseHandle (hObject=0x210) returned 1 [0109.186] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.187] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.187] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0109.187] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0109.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0109.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0109.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0109.189] CloseHandle (hObject=0x210) returned 1 [0109.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0109.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0109.190] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0109.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.191] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.191] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0109.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0109.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0109.191] CloseHandle (hObject=0x210) returned 1 [0109.191] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0109.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0109.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0109.193] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0109.193] CloseHandle (hObject=0x210) returned 1 [0109.193] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0109.194] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0109.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0109.195] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0109.195] CloseHandle (hObject=0x210) returned 1 [0109.195] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0109.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.196] CloseHandle (hObject=0x210) returned 1 [0109.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0109.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0109.197] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0109.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0109.198] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0109.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.200] CloseHandle (hObject=0x210) returned 1 [0109.200] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0109.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0109.201] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0109.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.202] CloseHandle (hObject=0x210) returned 1 [0109.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0109.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.204] CloseHandle (hObject=0x210) returned 1 [0109.204] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0109.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.205] CloseHandle (hObject=0x210) returned 1 [0109.205] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0109.206] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.206] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.207] CloseHandle (hObject=0x210) returned 1 [0109.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.208] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.208] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0109.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.208] CloseHandle (hObject=0x210) returned 1 [0109.208] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.272] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.272] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.272] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0109.272] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.272] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.272] CloseHandle (hObject=0x210) returned 1 [0109.272] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.273] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.273] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.273] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0109.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.274] CloseHandle (hObject=0x210) returned 1 [0109.274] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.274] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.274] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.274] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0109.274] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.275] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.275] CloseHandle (hObject=0x210) returned 1 [0109.275] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.275] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.275] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.275] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0109.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.276] CloseHandle (hObject=0x210) returned 1 [0109.276] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.277] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.277] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.277] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0109.277] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.277] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.277] CloseHandle (hObject=0x210) returned 1 [0109.277] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.278] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0109.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.278] CloseHandle (hObject=0x210) returned 1 [0109.278] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0109.279] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.279] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.279] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0109.279] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0109.279] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0109.280] CloseHandle (hObject=0x210) returned 1 [0109.280] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0109.280] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.280] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0109.280] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0109.281] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0109.281] CloseHandle (hObject=0x210) returned 1 [0109.281] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0109.281] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.282] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.282] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0109.282] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0109.282] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0109.282] CloseHandle (hObject=0x210) returned 1 [0109.282] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.283] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.283] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.283] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0109.283] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.283] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.283] CloseHandle (hObject=0x210) returned 1 [0109.283] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0109.284] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.284] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.284] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0109.284] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0109.284] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0109.284] CloseHandle (hObject=0x210) returned 1 [0109.285] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0109.285] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.285] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.285] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0109.285] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0109.286] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0109.286] CloseHandle (hObject=0x210) returned 1 [0109.286] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0109.286] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.286] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.287] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0109.287] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0109.287] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0109.288] CloseHandle (hObject=0x210) returned 1 [0109.288] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0109.288] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.288] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.288] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0109.288] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0109.289] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0109.289] CloseHandle (hObject=0x210) returned 1 [0109.289] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0109.290] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.290] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.290] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0109.290] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0109.290] GetLastError () returned 0x1f [0109.290] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0109.290] CloseHandle (hObject=0x210) returned 1 [0109.301] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0109.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0109.302] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0109.367] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0109.367] CloseHandle (hObject=0x210) returned 1 [0109.367] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0109.368] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.368] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0109.368] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0109.368] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0109.368] CloseHandle (hObject=0x210) returned 1 [0109.368] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0109.369] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.369] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0109.369] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0109.369] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0109.370] CloseHandle (hObject=0x210) returned 1 [0109.370] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0109.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.370] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0109.370] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0109.371] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.371] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.371] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0109.371] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0109.372] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.372] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0109.372] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.372] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0109.372] CloseHandle (hObject=0x210) returned 1 [0109.372] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0109.373] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.373] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.373] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0109.373] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0109.373] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0109.373] CloseHandle (hObject=0x210) returned 1 [0109.374] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0109.374] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.374] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0109.374] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0109.374] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0109.375] CloseHandle (hObject=0x210) returned 1 [0109.375] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0109.375] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.375] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.375] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0109.375] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0109.376] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0109.376] CloseHandle (hObject=0x210) returned 1 [0109.376] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0109.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.377] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.377] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0109.377] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0109.377] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0109.377] CloseHandle (hObject=0x210) returned 1 [0109.377] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0109.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0109.378] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0109.378] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0109.378] CloseHandle (hObject=0x210) returned 1 [0109.378] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0109.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0109.379] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0109.379] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0109.380] CloseHandle (hObject=0x210) returned 1 [0109.380] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0109.380] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0109.448] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0109.449] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0109.449] CloseHandle (hObject=0x210) returned 1 [0109.449] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0109.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0109.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0109.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0109.451] CloseHandle (hObject=0x210) returned 1 [0109.451] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0109.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0109.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0109.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0109.452] CloseHandle (hObject=0x210) returned 1 [0109.452] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0109.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.453] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.453] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0109.453] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0109.454] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0109.454] CloseHandle (hObject=0x210) returned 1 [0109.454] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0109.454] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.455] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0109.455] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0109.455] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0109.455] CloseHandle (hObject=0x210) returned 1 [0109.455] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0109.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0109.456] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0109.456] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0109.456] CloseHandle (hObject=0x210) returned 1 [0109.456] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0109.457] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0109.457] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0109.457] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0109.458] CloseHandle (hObject=0x210) returned 1 [0109.458] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0109.458] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.458] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0109.459] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0109.459] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0109.459] CloseHandle (hObject=0x210) returned 1 [0109.459] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0109.460] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.460] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.460] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0109.460] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0109.460] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0109.460] CloseHandle (hObject=0x210) returned 1 [0109.460] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0109.461] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.461] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0109.461] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0109.461] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0109.501] CloseHandle (hObject=0x210) returned 1 [0109.502] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="hacker.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hacker.exeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 10 [0109.504] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeexeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.504] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0109.505] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.505] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.505] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0109.505] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0109.506] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0109.506] CloseHandle (hObject=0x210) returned 1 [0109.507] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="death.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="death.exeeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 9 [0109.509] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exexeeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.509] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0109.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0109.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0109.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0109.510] CloseHandle (hObject=0x210) returned 1 [0109.513] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ko_ferrari_inspired.exe", cchWideChar=23, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ko_ferrari_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 23 [0109.514] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeari_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.514] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0109.515] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.516] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.516] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0109.516] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.516] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.516] CloseHandle (hObject=0x210) returned 1 [0109.518] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3dftp.exei_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0109.519] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exexei_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.519] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0109.521] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.521] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.521] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0109.646] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0109.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0109.647] CloseHandle (hObject=0x210) returned 1 [0109.650] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0109.651] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.651] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.651] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0109.651] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.652] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.652] CloseHandle (hObject=0x210) returned 1 [0109.653] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0109.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0109.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0109.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0109.655] CloseHandle (hObject=0x210) returned 1 [0109.655] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0109.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0109.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0109.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0109.657] CloseHandle (hObject=0x210) returned 1 [0109.657] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0109.658] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.658] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.658] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0109.659] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.659] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.659] CloseHandle (hObject=0x210) returned 1 [0109.659] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0109.660] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.661] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0109.661] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0109.661] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0109.661] CloseHandle (hObject=0x210) returned 1 [0109.661] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0109.663] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.663] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.663] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0109.663] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0109.663] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0109.664] CloseHandle (hObject=0x210) returned 1 [0109.664] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0109.665] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.665] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.665] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0109.665] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0109.666] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0109.666] CloseHandle (hObject=0x210) returned 1 [0109.666] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0109.667] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.667] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.667] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0109.667] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0109.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0109.668] CloseHandle (hObject=0x210) returned 1 [0109.668] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0109.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0109.669] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0109.670] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0109.670] CloseHandle (hObject=0x210) returned 1 [0109.670] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0109.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0109.672] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0109.672] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0109.672] CloseHandle (hObject=0x210) returned 1 [0109.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0109.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0109.674] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0109.674] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0109.676] CloseHandle (hObject=0x210) returned 1 [0109.676] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0109.677] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0109.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.679] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.679] CloseHandle (hObject=0x210) returned 1 [0109.679] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0109.680] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.681] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.681] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0109.681] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.681] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.681] CloseHandle (hObject=0x210) returned 1 [0109.681] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0109.683] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.683] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.683] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0109.683] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0109.683] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0109.683] CloseHandle (hObject=0x210) returned 1 [0109.683] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0109.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.685] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0109.685] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0109.685] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0109.686] CloseHandle (hObject=0x210) returned 1 [0109.686] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0109.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0109.687] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0109.687] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0109.687] CloseHandle (hObject=0x210) returned 1 [0109.687] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0109.688] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.688] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.688] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0109.689] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0109.689] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0109.689] CloseHandle (hObject=0x210) returned 1 [0109.689] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0109.690] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.690] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.690] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0109.690] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.690] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.691] CloseHandle (hObject=0x210) returned 1 [0109.691] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0109.692] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.692] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.692] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0109.692] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0109.692] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0109.692] CloseHandle (hObject=0x210) returned 1 [0109.693] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0109.788] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.789] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.789] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0109.789] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.789] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0109.789] CloseHandle (hObject=0x210) returned 1 [0109.789] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0109.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0109.791] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0109.791] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0109.791] CloseHandle (hObject=0x210) returned 1 [0109.791] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0109.862] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.862] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.862] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0109.862] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0109.863] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0109.863] CloseHandle (hObject=0x210) returned 1 [0109.863] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0109.866] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.866] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.866] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0109.867] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0109.867] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0109.867] CloseHandle (hObject=0x210) returned 1 [0109.867] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0109.868] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.869] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.869] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0109.869] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0109.869] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0109.870] CloseHandle (hObject=0x210) returned 1 [0109.871] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0109.873] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exee.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.873] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0109.875] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.875] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.875] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0109.875] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0109.875] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0109.876] CloseHandle (hObject=0x210) returned 1 [0109.878] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0109.879] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exep.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.879] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0109.881] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.881] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0109.881] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0109.882] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0109.883] CloseHandle (hObject=0x210) returned 1 [0109.884] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0109.886] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exeexexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.887] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0109.888] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.888] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.888] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0109.888] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0109.888] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0109.889] CloseHandle (hObject=0x210) returned 1 [0109.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0109.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="anvir64.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="anvir64.exessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0109.892] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0109.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.894] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0109.894] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0109.894] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0109.894] CloseHandle (hObject=0x210) returned 1 [0109.964] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0109.965] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.965] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.965] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0109.965] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0109.965] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0109.966] CloseHandle (hObject=0x210) returned 1 [0109.966] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0109.967] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.967] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.967] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0109.967] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0109.968] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0109.968] CloseHandle (hObject=0x210) returned 1 [0109.968] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0109.969] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.969] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.969] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0109.969] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0109.970] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0109.970] CloseHandle (hObject=0x210) returned 1 [0109.970] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0109.971] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.971] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.971] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0109.971] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0109.971] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0109.972] CloseHandle (hObject=0x210) returned 1 [0109.972] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0109.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.973] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.973] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0109.973] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0109.973] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0109.973] CloseHandle (hObject=0x210) returned 1 [0109.974] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0109.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.975] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.975] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0109.975] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0109.975] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0109.976] CloseHandle (hObject=0x210) returned 1 [0109.976] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0109.977] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.977] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.977] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0109.977] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0109.977] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0109.977] CloseHandle (hObject=0x210) returned 1 [0109.978] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0109.979] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.979] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.979] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0109.979] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0109.979] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0109.980] CloseHandle (hObject=0x210) returned 1 [0109.980] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0109.981] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.981] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.981] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0109.981] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0109.981] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0109.981] CloseHandle (hObject=0x210) returned 1 [0109.981] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0109.982] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.983] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.983] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0109.983] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0109.983] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0109.983] CloseHandle (hObject=0x210) returned 1 [0109.983] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0109.984] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.984] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.984] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0109.985] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0109.985] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0109.985] CloseHandle (hObject=0x210) returned 1 [0109.985] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0109.986] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.986] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.986] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0109.986] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0109.987] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0109.987] CloseHandle (hObject=0x210) returned 1 [0109.987] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0109.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.988] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.988] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0109.988] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0109.988] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0109.988] CloseHandle (hObject=0x210) returned 1 [0109.988] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0109.989] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.989] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.989] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0109.990] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0109.990] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0109.990] CloseHandle (hObject=0x210) returned 1 [0109.990] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0109.991] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.991] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.991] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0109.991] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0109.991] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0109.991] CloseHandle (hObject=0x210) returned 1 [0109.991] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0109.992] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.992] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.992] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0109.992] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0109.993] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0109.993] CloseHandle (hObject=0x210) returned 1 [0109.993] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0109.994] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.994] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.994] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0109.994] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0109.994] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0109.994] CloseHandle (hObject=0x210) returned 1 [0109.994] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0109.995] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.996] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.996] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0109.996] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0109.996] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0109.996] CloseHandle (hObject=0x210) returned 1 [0109.996] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0109.997] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.997] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.997] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0109.997] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0109.997] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0109.998] CloseHandle (hObject=0x210) returned 1 [0109.998] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0109.998] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0109.998] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0109.999] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0109.999] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0109.999] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0109.999] CloseHandle (hObject=0x210) returned 1 [0109.999] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0110.000] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.000] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0110.000] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0110.000] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0110.000] CloseHandle (hObject=0x210) returned 1 [0110.000] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0110.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.001] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.001] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0110.001] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0110.002] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0110.002] CloseHandle (hObject=0x210) returned 1 [0110.002] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0110.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.003] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.003] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0110.003] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.003] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.003] CloseHandle (hObject=0x210) returned 1 [0110.003] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0110.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0110.004] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.004] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.004] CloseHandle (hObject=0x210) returned 1 [0110.004] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0110.043] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.043] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.043] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0110.043] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0110.043] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0110.043] CloseHandle (hObject=0x210) returned 1 [0110.043] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0110.044] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.044] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.044] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0110.044] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.045] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.045] CloseHandle (hObject=0x210) returned 1 [0110.045] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0110.046] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.046] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.046] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0110.046] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.046] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.047] CloseHandle (hObject=0x210) returned 1 [0110.047] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0110.047] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.047] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.047] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0110.048] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0110.048] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0110.048] CloseHandle (hObject=0x210) returned 1 [0110.048] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0110.049] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.049] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.049] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0110.049] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0110.049] GetLastError () returned 0x1f [0110.049] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0110.049] CloseHandle (hObject=0x210) returned 1 [0110.061] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.062] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.062] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.062] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0110.062] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.062] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.063] CloseHandle (hObject=0x210) returned 1 [0110.063] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0110.063] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.063] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.063] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0110.064] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0110.064] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0110.064] CloseHandle (hObject=0x210) returned 1 [0110.064] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0110.065] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.065] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.065] CloseHandle (hObject=0x210) returned 1 [0110.065] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0110.066] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.066] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.066] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0110.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.067] CloseHandle (hObject=0x210) returned 1 [0110.067] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0110.067] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.067] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.067] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0110.067] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0110.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0110.068] CloseHandle (hObject=0x210) returned 1 [0110.068] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0110.068] CloseHandle (hObject=0x20c) returned 1 [0110.069] Sleep (dwMilliseconds=0x1) [0110.108] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0110.108] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359750, cbMultiByte=10, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="apache.exeeisqlplussvc.exe") returned 10 [0110.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0110.109] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0110.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exexest.exe", lpUsedDefaultChar=0x0) returned 12 [0110.110] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0110.118] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.119] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0110.120] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exe", lpUsedDefaultChar=0x0) returned 10 [0110.120] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.172] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.173] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0110.173] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0110.173] GetLastError () returned 0x1f [0110.173] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0110.173] CloseHandle (hObject=0x210) returned 1 [0110.181] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0110.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0110.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0110.182] CloseHandle (hObject=0x210) returned 1 [0110.182] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.183] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.184] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0110.184] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0110.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0110.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0110.185] CloseHandle (hObject=0x210) returned 1 [0110.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.186] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.186] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0110.186] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.187] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.187] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0110.187] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0110.187] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0110.187] CloseHandle (hObject=0x210) returned 1 [0110.187] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0110.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0110.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0110.189] CloseHandle (hObject=0x210) returned 1 [0110.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.189] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0110.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0110.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0110.190] CloseHandle (hObject=0x210) returned 1 [0110.190] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.191] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.191] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0110.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.192] CloseHandle (hObject=0x210) returned 1 [0110.192] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0110.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0110.193] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0110.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0110.194] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.194] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0110.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.195] CloseHandle (hObject=0x210) returned 1 [0110.195] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0110.195] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0110.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.197] CloseHandle (hObject=0x210) returned 1 [0110.197] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0110.197] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.198] CloseHandle (hObject=0x210) returned 1 [0110.198] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0110.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.199] CloseHandle (hObject=0x210) returned 1 [0110.199] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0110.200] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.200] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.200] CloseHandle (hObject=0x210) returned 1 [0110.200] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0110.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.202] CloseHandle (hObject=0x210) returned 1 [0110.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0110.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.203] CloseHandle (hObject=0x210) returned 1 [0110.203] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0110.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.204] CloseHandle (hObject=0x210) returned 1 [0110.204] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0110.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.206] CloseHandle (hObject=0x210) returned 1 [0110.206] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0110.206] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.207] CloseHandle (hObject=0x210) returned 1 [0110.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0110.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.208] CloseHandle (hObject=0x210) returned 1 [0110.208] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0110.209] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.209] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.209] CloseHandle (hObject=0x210) returned 1 [0110.209] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0110.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0110.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0110.210] CloseHandle (hObject=0x210) returned 1 [0110.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0110.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0110.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0110.211] CloseHandle (hObject=0x210) returned 1 [0110.211] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0110.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.212] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0110.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0110.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0110.213] CloseHandle (hObject=0x210) returned 1 [0110.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0110.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.214] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.214] CloseHandle (hObject=0x210) returned 1 [0110.214] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0110.266] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0110.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0110.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0110.267] CloseHandle (hObject=0x210) returned 1 [0110.267] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.267] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.267] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.267] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0110.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.268] CloseHandle (hObject=0x210) returned 1 [0110.268] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0110.268] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.269] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.269] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0110.269] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0110.269] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0110.269] CloseHandle (hObject=0x210) returned 1 [0110.269] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0110.270] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.270] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.270] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0110.270] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0110.270] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0110.270] CloseHandle (hObject=0x210) returned 1 [0110.270] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0110.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.271] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.271] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0110.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0110.271] GetLastError () returned 0x1f [0110.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0110.271] CloseHandle (hObject=0x210) returned 1 [0110.288] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0110.289] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.289] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.289] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0110.289] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0110.290] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0110.290] CloseHandle (hObject=0x210) returned 1 [0110.290] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0110.291] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.291] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.291] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0110.291] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0110.291] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0110.291] CloseHandle (hObject=0x210) returned 1 [0110.291] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0110.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.292] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.292] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0110.292] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0110.292] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0110.292] CloseHandle (hObject=0x210) returned 1 [0110.293] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0110.293] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.293] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.293] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0110.293] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0110.294] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.294] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.294] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0110.294] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.295] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.295] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.295] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0110.295] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.295] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.295] CloseHandle (hObject=0x210) returned 1 [0110.295] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0110.296] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.296] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.296] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0110.296] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0110.296] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0110.296] CloseHandle (hObject=0x210) returned 1 [0110.296] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0110.297] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.297] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.297] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0110.297] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0110.297] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0110.298] CloseHandle (hObject=0x210) returned 1 [0110.298] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0110.298] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.298] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.298] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0110.298] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0110.299] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0110.299] CloseHandle (hObject=0x210) returned 1 [0110.299] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0110.299] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.299] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0110.300] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0110.300] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0110.300] CloseHandle (hObject=0x210) returned 1 [0110.300] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0110.301] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.301] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.301] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0110.301] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0110.301] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0110.301] CloseHandle (hObject=0x210) returned 1 [0110.301] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0110.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0110.302] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0110.302] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0110.302] CloseHandle (hObject=0x210) returned 1 [0110.302] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0110.303] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.303] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.303] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0110.303] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0110.303] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0110.304] CloseHandle (hObject=0x210) returned 1 [0110.304] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0110.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0110.304] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0110.305] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0110.305] CloseHandle (hObject=0x210) returned 1 [0110.305] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0110.305] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0110.306] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0110.306] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0110.306] CloseHandle (hObject=0x210) returned 1 [0110.306] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0110.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.307] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.307] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0110.307] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0110.307] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0110.308] CloseHandle (hObject=0x210) returned 1 [0110.308] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0110.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.376] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.376] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0110.376] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0110.377] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0110.377] CloseHandle (hObject=0x210) returned 1 [0110.377] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0110.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0110.378] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0110.378] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0110.379] CloseHandle (hObject=0x210) returned 1 [0110.379] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0110.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.380] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.380] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0110.380] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0110.380] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0110.380] CloseHandle (hObject=0x210) returned 1 [0110.380] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0110.381] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.381] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.381] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0110.381] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0110.381] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0110.382] CloseHandle (hObject=0x210) returned 1 [0110.382] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0110.383] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.383] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.383] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0110.383] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0110.383] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0110.383] CloseHandle (hObject=0x210) returned 1 [0110.383] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0110.384] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.384] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.384] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0110.384] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0110.385] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0110.385] CloseHandle (hObject=0x210) returned 1 [0110.385] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0110.386] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.386] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.386] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0110.386] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0110.386] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0110.387] CloseHandle (hObject=0x210) returned 1 [0110.387] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0110.387] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.388] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.388] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0110.388] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0110.388] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0110.388] CloseHandle (hObject=0x210) returned 1 [0110.388] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0110.389] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.390] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.390] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0110.390] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.390] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.390] CloseHandle (hObject=0x210) returned 1 [0110.390] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0110.391] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.391] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.392] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0110.392] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0110.392] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0110.392] CloseHandle (hObject=0x210) returned 1 [0110.392] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0110.393] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.393] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.393] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0110.394] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.394] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.394] CloseHandle (hObject=0x210) returned 1 [0110.394] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0110.395] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.395] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.395] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0110.395] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0110.396] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0110.396] CloseHandle (hObject=0x210) returned 1 [0110.396] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0110.397] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.397] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.397] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0110.397] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0110.398] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0110.398] CloseHandle (hObject=0x210) returned 1 [0110.398] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0110.399] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.399] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.399] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0110.399] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.400] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.400] CloseHandle (hObject=0x210) returned 1 [0110.400] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0110.401] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.401] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.401] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0110.401] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0110.401] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0110.402] CloseHandle (hObject=0x210) returned 1 [0110.402] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0110.403] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.404] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.404] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0110.404] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0110.404] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0110.404] CloseHandle (hObject=0x210) returned 1 [0110.404] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0110.405] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.406] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0110.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0110.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0110.406] CloseHandle (hObject=0x210) returned 1 [0110.406] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0110.407] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.407] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.407] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0110.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0110.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0110.408] CloseHandle (hObject=0x210) returned 1 [0110.408] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0110.409] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.409] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0110.409] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0110.410] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0110.410] CloseHandle (hObject=0x210) returned 1 [0110.410] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0110.411] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.411] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.411] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0110.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0110.412] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0110.412] CloseHandle (hObject=0x210) returned 1 [0110.412] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0110.413] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.413] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.413] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0110.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0110.414] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0110.414] CloseHandle (hObject=0x210) returned 1 [0110.414] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0110.415] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0110.415] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.416] CloseHandle (hObject=0x210) returned 1 [0110.416] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0110.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.417] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0110.468] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.468] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.469] CloseHandle (hObject=0x210) returned 1 [0110.469] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0110.470] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.470] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.470] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0110.470] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.470] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.471] CloseHandle (hObject=0x210) returned 1 [0110.471] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0110.472] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.472] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.472] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0110.472] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0110.472] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0110.473] CloseHandle (hObject=0x210) returned 1 [0110.473] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0110.474] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.474] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.474] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0110.474] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0110.474] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0110.474] CloseHandle (hObject=0x210) returned 1 [0110.475] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0110.476] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.476] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.476] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0110.476] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0110.476] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0110.476] CloseHandle (hObject=0x210) returned 1 [0110.476] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0110.478] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.478] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.478] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0110.478] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.478] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.478] CloseHandle (hObject=0x210) returned 1 [0110.478] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0110.480] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.480] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.480] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0110.480] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0110.480] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0110.481] CloseHandle (hObject=0x210) returned 1 [0110.482] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0110.483] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exeexe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0110.483] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0110.484] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.484] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.484] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0110.484] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.485] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0110.485] CloseHandle (hObject=0x210) returned 1 [0110.486] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0110.488] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exetp.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0110.488] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0110.489] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.489] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.489] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0110.489] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0110.489] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0110.490] CloseHandle (hObject=0x210) returned 1 [0110.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0110.493] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exerbird.exeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0110.493] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0110.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0110.494] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0110.495] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0110.495] CloseHandle (hObject=0x210) returned 1 [0110.497] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="totalcmd.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="totalcmd.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0110.498] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="apache.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="apache.exemd.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0110.498] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0110.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0110.499] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0110.500] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0110.500] CloseHandle (hObject=0x210) returned 1 [0110.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0110.503] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0110.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.504] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0110.504] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0110.505] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0110.505] CloseHandle (hObject=0x210) returned 1 [0110.505] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0110.507] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.507] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.507] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0110.507] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0110.507] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0110.507] CloseHandle (hObject=0x210) returned 1 [0110.507] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0110.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.508] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.508] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0110.509] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0110.509] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0110.509] CloseHandle (hObject=0x210) returned 1 [0110.509] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0110.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0110.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0110.511] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0110.511] CloseHandle (hObject=0x210) returned 1 [0110.563] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0110.564] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.564] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.564] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0110.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0110.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0110.565] CloseHandle (hObject=0x210) returned 1 [0110.565] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0110.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0110.566] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0110.566] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0110.566] CloseHandle (hObject=0x210) returned 1 [0110.566] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0110.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0110.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0110.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0110.568] CloseHandle (hObject=0x210) returned 1 [0110.568] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0110.568] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.568] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.568] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0110.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0110.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0110.569] CloseHandle (hObject=0x210) returned 1 [0110.569] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0110.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.570] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.570] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0110.570] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0110.570] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0110.570] CloseHandle (hObject=0x210) returned 1 [0110.571] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0110.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0110.572] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0110.572] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0110.572] CloseHandle (hObject=0x210) returned 1 [0110.572] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0110.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0110.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0110.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0110.573] CloseHandle (hObject=0x210) returned 1 [0110.573] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0110.574] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.574] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.574] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0110.574] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0110.575] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0110.575] CloseHandle (hObject=0x210) returned 1 [0110.575] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0110.576] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.576] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.576] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0110.576] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0110.576] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0110.576] CloseHandle (hObject=0x210) returned 1 [0110.576] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0110.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0110.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0110.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0110.578] CloseHandle (hObject=0x210) returned 1 [0110.578] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0110.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0110.579] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0110.579] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0110.579] CloseHandle (hObject=0x210) returned 1 [0110.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0110.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0110.580] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0110.580] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0110.580] CloseHandle (hObject=0x210) returned 1 [0110.580] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0110.581] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0110.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0110.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0110.582] CloseHandle (hObject=0x210) returned 1 [0110.582] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0110.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.583] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.583] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0110.583] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0110.583] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0110.583] CloseHandle (hObject=0x210) returned 1 [0110.583] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0110.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.584] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0110.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0110.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0110.584] CloseHandle (hObject=0x210) returned 1 [0110.584] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0110.585] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.585] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.585] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0110.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0110.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0110.586] CloseHandle (hObject=0x210) returned 1 [0110.586] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0110.586] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.587] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.587] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0110.587] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0110.587] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0110.587] CloseHandle (hObject=0x210) returned 1 [0110.587] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0110.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0110.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0110.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0110.588] CloseHandle (hObject=0x210) returned 1 [0110.588] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0110.589] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.589] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.589] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0110.589] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0110.590] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0110.590] CloseHandle (hObject=0x210) returned 1 [0110.590] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0110.591] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.591] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.591] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0110.591] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0110.591] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0110.592] CloseHandle (hObject=0x210) returned 1 [0110.592] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0110.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0110.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0110.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0110.593] CloseHandle (hObject=0x210) returned 1 [0110.593] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0110.594] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0110.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0110.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0110.595] CloseHandle (hObject=0x210) returned 1 [0110.595] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0110.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0110.596] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0110.597] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0110.597] CloseHandle (hObject=0x210) returned 1 [0110.597] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0110.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0110.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.599] CloseHandle (hObject=0x210) returned 1 [0110.599] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0110.600] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.600] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.600] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0110.600] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.600] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0110.600] CloseHandle (hObject=0x210) returned 1 [0110.600] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0110.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0110.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0110.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0110.602] CloseHandle (hObject=0x210) returned 1 [0110.602] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0110.603] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.603] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.603] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0110.603] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.604] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.604] CloseHandle (hObject=0x210) returned 1 [0110.604] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0110.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0110.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.655] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0110.655] CloseHandle (hObject=0x210) returned 1 [0110.655] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0110.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0110.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0110.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0110.656] CloseHandle (hObject=0x210) returned 1 [0110.656] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0110.657] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.657] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.657] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0110.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0110.657] GetLastError () returned 0x1f [0110.657] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0110.657] CloseHandle (hObject=0x210) returned 1 [0110.668] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.669] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.669] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0110.669] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.670] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.670] CloseHandle (hObject=0x210) returned 1 [0110.670] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0110.670] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0110.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0110.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0110.671] CloseHandle (hObject=0x210) returned 1 [0110.671] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0110.672] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.672] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.672] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0110.672] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.672] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0110.672] CloseHandle (hObject=0x210) returned 1 [0110.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0110.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0110.673] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.673] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0110.674] CloseHandle (hObject=0x210) returned 1 [0110.674] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0110.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0110.674] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0110.675] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0110.675] CloseHandle (hObject=0x210) returned 1 [0110.675] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0110.675] CloseHandle (hObject=0x20c) returned 1 [0110.676] Sleep (dwMilliseconds=0x1) [0110.718] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0110.718] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359738, cbMultiByte=10, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="backup.exeeisqlplussvc.exe") returned 10 [0110.719] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0110.719] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0110.720] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exexest.exe", lpUsedDefaultChar=0x0) returned 12 [0110.720] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0110.780] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0110.781] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.781] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.781] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0110.782] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exe", lpUsedDefaultChar=0x0) returned 10 [0110.782] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0110.782] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.783] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.783] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0110.783] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0110.783] GetLastError () returned 0x1f [0110.783] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0110.783] CloseHandle (hObject=0x210) returned 1 [0110.791] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0110.792] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.792] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0110.792] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0110.793] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0110.793] CloseHandle (hObject=0x210) returned 1 [0110.793] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0110.794] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0110.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.795] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.795] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0110.795] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0110.795] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0110.795] CloseHandle (hObject=0x210) returned 1 [0110.795] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0110.796] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.796] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.796] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0110.796] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0110.797] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.797] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.797] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0110.797] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0110.797] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0110.797] CloseHandle (hObject=0x210) returned 1 [0110.797] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0110.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0110.798] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0110.798] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0110.798] CloseHandle (hObject=0x210) returned 1 [0110.799] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0110.799] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.799] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.799] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0110.799] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0110.800] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0110.800] CloseHandle (hObject=0x210) returned 1 [0110.800] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.801] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.801] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0110.801] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.801] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.801] CloseHandle (hObject=0x210) returned 1 [0110.801] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0110.802] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.802] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.802] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0110.802] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0110.803] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.803] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.803] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0110.803] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.803] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.804] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.804] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0110.804] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.814] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.814] CloseHandle (hObject=0x210) returned 1 [0110.814] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0110.815] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.815] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.815] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0110.815] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.816] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.816] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.816] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0110.816] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.817] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.817] CloseHandle (hObject=0x210) returned 1 [0110.817] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.818] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.818] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0110.818] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.818] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.818] CloseHandle (hObject=0x210) returned 1 [0110.818] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.819] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.819] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0110.819] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.819] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.869] CloseHandle (hObject=0x210) returned 1 [0110.869] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.870] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.870] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.870] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0110.870] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.871] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.871] CloseHandle (hObject=0x210) returned 1 [0110.871] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.872] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.872] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.872] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0110.872] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.872] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.872] CloseHandle (hObject=0x210) returned 1 [0110.872] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.873] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.873] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.873] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0110.873] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.873] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.874] CloseHandle (hObject=0x210) returned 1 [0110.874] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.874] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.874] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.874] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0110.874] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.875] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.875] CloseHandle (hObject=0x210) returned 1 [0110.875] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.876] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.876] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0110.876] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.876] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.876] CloseHandle (hObject=0x210) returned 1 [0110.876] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.877] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.877] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.877] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0110.877] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.877] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.878] CloseHandle (hObject=0x210) returned 1 [0110.878] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0110.878] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.879] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.879] CloseHandle (hObject=0x210) returned 1 [0110.879] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.880] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.880] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.880] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0110.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.880] CloseHandle (hObject=0x210) returned 1 [0110.880] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0110.881] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.881] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0110.881] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0110.881] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0110.882] CloseHandle (hObject=0x210) returned 1 [0110.882] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0110.882] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.882] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.882] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0110.882] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0110.883] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0110.883] CloseHandle (hObject=0x210) returned 1 [0110.883] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0110.884] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0110.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0110.884] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0110.884] CloseHandle (hObject=0x210) returned 1 [0110.884] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0110.885] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0110.885] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0110.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0110.885] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.885] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0110.885] CloseHandle (hObject=0x210) returned 1 [0110.886] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0111.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.021] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0111.021] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0111.022] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0111.032] CloseHandle (hObject=0x210) returned 1 [0111.066] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exee", lpUsedDefaultChar=0x0) returned 13 [0111.067] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exestw.exee", lpUsedDefaultChar=0x0) returned 10 [0111.067] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0111.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.068] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.068] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0111.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0111.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0111.069] CloseHandle (hObject=0x210) returned 1 [0111.071] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeee", lpUsedDefaultChar=0x0) returned 12 [0111.072] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeer.exeee", lpUsedDefaultChar=0x0) returned 10 [0111.072] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0111.073] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.073] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.073] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0111.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0111.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0111.075] CloseHandle (hObject=0x210) returned 1 [0111.077] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exee", lpUsedDefaultChar=0x0) returned 20 [0111.078] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeClickToRun.exee", lpUsedDefaultChar=0x0) returned 10 [0111.079] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0111.079] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.080] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0111.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0111.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0111.080] CloseHandle (hObject=0x210) returned 1 [0111.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SecurityHealthService.exe", cchWideChar=25, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SecurityHealthService.exe.exe", lpUsedDefaultChar=0x0) returned 25 [0111.085] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exetyHealthService.exe.exe", lpUsedDefaultChar=0x0) returned 10 [0111.085] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0111.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0111.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0111.086] GetLastError () returned 0x1f [0111.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0111.086] CloseHandle (hObject=0x210) returned 1 [0111.087] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0111.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0111.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0111.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0111.089] CloseHandle (hObject=0x210) returned 1 [0111.090] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0111.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0111.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0111.092] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0111.092] CloseHandle (hObject=0x210) returned 1 [0111.092] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0111.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0111.093] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0111.093] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0111.093] CloseHandle (hObject=0x210) returned 1 [0111.094] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0111.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0111.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0111.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0111.096] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0111.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0111.097] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0111.097] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0111.097] CloseHandle (hObject=0x210) returned 1 [0111.097] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0111.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0111.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0111.099] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0111.099] CloseHandle (hObject=0x210) returned 1 [0111.099] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0111.100] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.100] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0111.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0111.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0111.101] CloseHandle (hObject=0x210) returned 1 [0111.101] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0111.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0111.102] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0111.102] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0111.102] CloseHandle (hObject=0x210) returned 1 [0111.102] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0111.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0111.103] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0111.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0111.104] CloseHandle (hObject=0x210) returned 1 [0111.104] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0111.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0111.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0111.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0111.202] CloseHandle (hObject=0x210) returned 1 [0111.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0111.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0111.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0111.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0111.204] CloseHandle (hObject=0x210) returned 1 [0111.204] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0111.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0111.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0111.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0111.206] CloseHandle (hObject=0x210) returned 1 [0111.206] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0111.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0111.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0111.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0111.207] CloseHandle (hObject=0x210) returned 1 [0111.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0111.208] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.208] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0111.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0111.209] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0111.209] CloseHandle (hObject=0x210) returned 1 [0111.209] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0111.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0111.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0111.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0111.210] CloseHandle (hObject=0x210) returned 1 [0111.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0111.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0111.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0111.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0111.212] CloseHandle (hObject=0x210) returned 1 [0111.212] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0111.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0111.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0111.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0111.214] CloseHandle (hObject=0x210) returned 1 [0111.214] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0111.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0111.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0111.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0111.215] CloseHandle (hObject=0x210) returned 1 [0111.216] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0111.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0111.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0111.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0111.217] CloseHandle (hObject=0x210) returned 1 [0111.217] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0111.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.218] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.218] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0111.218] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0111.218] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0111.219] CloseHandle (hObject=0x210) returned 1 [0111.219] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0111.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0111.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0111.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0111.220] CloseHandle (hObject=0x210) returned 1 [0111.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0111.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0111.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0111.222] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0111.222] CloseHandle (hObject=0x210) returned 1 [0111.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0111.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0111.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0111.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0111.223] CloseHandle (hObject=0x210) returned 1 [0111.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0111.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0111.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.226] CloseHandle (hObject=0x210) returned 1 [0111.226] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0111.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0111.227] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0111.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0111.228] CloseHandle (hObject=0x210) returned 1 [0111.228] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0111.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0111.230] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.249] CloseHandle (hObject=0x210) returned 1 [0111.261] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alftp.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0111.263] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeexeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.263] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0111.264] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0111.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0111.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0111.267] CloseHandle (hObject=0x210) returned 1 [0111.268] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="barca.exeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0111.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeexeelnet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.269] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0111.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.271] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.271] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0111.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0111.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0111.271] CloseHandle (hObject=0x210) returned 1 [0111.273] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0111.274] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.274] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0111.276] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.276] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.276] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0111.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.387] CloseHandle (hObject=0x210) returned 1 [0111.388] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0111.390] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exep.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.390] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0111.391] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.391] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.391] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0111.392] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0111.392] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0111.392] CloseHandle (hObject=0x210) returned 1 [0111.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0111.395] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exee.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.395] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0111.396] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.396] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.396] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0111.396] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0111.397] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0111.397] CloseHandle (hObject=0x210) returned 1 [0111.399] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0111.400] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.400] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.400] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0111.400] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0111.401] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0111.401] CloseHandle (hObject=0x210) returned 1 [0111.402] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0111.403] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.403] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.403] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0111.403] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0111.404] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0111.404] CloseHandle (hObject=0x210) returned 1 [0111.404] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0111.405] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.406] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0111.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0111.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0111.406] CloseHandle (hObject=0x210) returned 1 [0111.406] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0111.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.408] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0111.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0111.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0111.409] CloseHandle (hObject=0x210) returned 1 [0111.409] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0111.410] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.410] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.410] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0111.410] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0111.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0111.411] CloseHandle (hObject=0x210) returned 1 [0111.411] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0111.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0111.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.414] CloseHandle (hObject=0x210) returned 1 [0111.414] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0111.415] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0111.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.416] CloseHandle (hObject=0x210) returned 1 [0111.416] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0111.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.418] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0111.418] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0111.418] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0111.418] CloseHandle (hObject=0x210) returned 1 [0111.418] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0111.420] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.420] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0111.420] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0111.420] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0111.420] CloseHandle (hObject=0x210) returned 1 [0111.421] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0111.422] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.422] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.422] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0111.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0111.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0111.423] CloseHandle (hObject=0x210) returned 1 [0111.423] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0111.424] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.424] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0111.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0111.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0111.425] CloseHandle (hObject=0x210) returned 1 [0111.425] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0111.531] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.532] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0111.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.532] CloseHandle (hObject=0x210) returned 1 [0111.532] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0111.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0111.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0111.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0111.534] CloseHandle (hObject=0x210) returned 1 [0111.535] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0111.536] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0111.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0111.537] CloseHandle (hObject=0x210) returned 1 [0111.537] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0111.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0111.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0111.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0111.539] CloseHandle (hObject=0x210) returned 1 [0111.539] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0111.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0111.540] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0111.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0111.541] CloseHandle (hObject=0x210) returned 1 [0111.541] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0111.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0111.542] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0111.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0111.543] CloseHandle (hObject=0x210) returned 1 [0111.543] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0111.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0111.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0111.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0111.545] CloseHandle (hObject=0x210) returned 1 [0111.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0111.548] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeve.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.548] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0111.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0111.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0111.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0111.551] CloseHandle (hObject=0x210) returned 1 [0111.552] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0111.554] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exepp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.554] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0111.555] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.555] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.555] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0111.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0111.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0111.556] CloseHandle (hObject=0x210) returned 1 [0111.557] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.559] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exe.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.559] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0111.560] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.560] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.560] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0111.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0111.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0111.561] CloseHandle (hObject=0x210) returned 1 [0111.563] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0111.564] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.564] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0111.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0111.566] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0111.566] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0111.566] CloseHandle (hObject=0x210) returned 1 [0111.568] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0111.569] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0111.570] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.570] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.570] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0111.571] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0111.571] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0111.571] CloseHandle (hObject=0x210) returned 1 [0111.572] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0111.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0111.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0111.573] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0111.696] CloseHandle (hObject=0x210) returned 1 [0111.696] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0111.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0111.697] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0111.698] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0111.698] CloseHandle (hObject=0x210) returned 1 [0111.698] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0111.700] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.700] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.700] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0111.700] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0111.700] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0111.700] CloseHandle (hObject=0x210) returned 1 [0111.701] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0111.702] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.702] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.702] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0111.702] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0111.702] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0111.702] CloseHandle (hObject=0x210) returned 1 [0111.703] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0111.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.704] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0111.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0111.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0111.704] CloseHandle (hObject=0x210) returned 1 [0111.705] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0111.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0111.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0111.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0111.706] CloseHandle (hObject=0x210) returned 1 [0111.706] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0111.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.708] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.708] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0111.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0111.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0111.708] CloseHandle (hObject=0x210) returned 1 [0111.708] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0111.709] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0111.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0111.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0111.710] CloseHandle (hObject=0x210) returned 1 [0111.710] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0111.711] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.711] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.711] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0111.711] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0111.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0111.712] CloseHandle (hObject=0x210) returned 1 [0111.712] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0111.713] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.713] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.713] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0111.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0111.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0111.714] CloseHandle (hObject=0x210) returned 1 [0111.714] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0111.715] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.715] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.715] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0111.715] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0111.716] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0111.716] CloseHandle (hObject=0x210) returned 1 [0111.716] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0111.717] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.717] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.717] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0111.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0111.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0111.718] CloseHandle (hObject=0x210) returned 1 [0111.718] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0111.719] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.719] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.719] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0111.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0111.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0111.719] CloseHandle (hObject=0x210) returned 1 [0111.720] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0111.721] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.721] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0111.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0111.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0111.721] CloseHandle (hObject=0x210) returned 1 [0111.721] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0111.722] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.723] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.723] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0111.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0111.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0111.723] CloseHandle (hObject=0x210) returned 1 [0111.723] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0111.724] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.725] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.725] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0111.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0111.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0111.725] CloseHandle (hObject=0x210) returned 1 [0111.725] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0111.726] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.726] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.726] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0111.726] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0111.727] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0111.727] CloseHandle (hObject=0x210) returned 1 [0111.727] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0111.728] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.728] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.728] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0111.728] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0111.729] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0111.729] CloseHandle (hObject=0x210) returned 1 [0111.729] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0111.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0111.878] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0111.879] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0111.879] CloseHandle (hObject=0x210) returned 1 [0111.880] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="UsoClient.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UsoClient.exeexeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 13 [0111.881] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeent.exeexeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.882] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0111.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.883] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.883] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0111.883] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0111.883] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0111.883] CloseHandle (hObject=0x210) returned 1 [0111.885] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DeviceCensus.exe", cchWideChar=16, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DeviceCensus.exeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 16 [0111.886] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeCensus.exeer-meal.exeous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.886] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0111.887] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.887] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0111.888] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0111.888] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0111.888] CloseHandle (hObject=0x210) returned 1 [0111.891] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="UNPCampaignManager.exe", cchWideChar=22, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UNPCampaignManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 22 [0111.892] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exepaignManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.892] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0111.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.893] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0111.894] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0111.894] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0111.894] CloseHandle (hObject=0x210) returned 1 [0111.895] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0111.897] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="backup.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="backup.exeexegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 10 [0111.897] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0111.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0111.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0111.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0111.898] CloseHandle (hObject=0x210) returned 1 [0111.899] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msoia.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msoia.exegnManager.exel.exeous.exe", lpUsedDefaultChar=0x0) returned 9 [0111.900] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0111.901] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.901] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.901] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0111.901] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0111.901] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0111.902] CloseHandle (hObject=0x210) returned 1 [0111.902] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0111.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0111.903] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0111.904] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0111.904] CloseHandle (hObject=0x210) returned 1 [0111.904] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0111.905] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.905] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.905] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0111.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0111.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0111.905] CloseHandle (hObject=0x210) returned 1 [0111.906] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0111.906] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.906] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.906] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0111.907] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0111.907] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0111.907] CloseHandle (hObject=0x210) returned 1 [0111.907] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0111.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0111.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0111.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0111.908] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0111.908] GetLastError () returned 0x1f [0111.908] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0111.908] CloseHandle (hObject=0x210) returned 1 [0112.037] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.038] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.038] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.038] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0112.039] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.039] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.039] CloseHandle (hObject=0x210) returned 1 [0112.039] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0112.040] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.040] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.040] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0112.040] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0112.040] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0112.040] CloseHandle (hObject=0x210) returned 1 [0112.040] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.041] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.041] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.041] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0112.041] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0112.042] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0112.042] CloseHandle (hObject=0x210) returned 1 [0112.042] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0112.054] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.055] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.055] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0112.055] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0112.055] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0112.055] CloseHandle (hObject=0x210) returned 1 [0112.055] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0112.056] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.056] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.056] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0112.056] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0112.056] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0112.057] CloseHandle (hObject=0x210) returned 1 [0112.057] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??????")) returned 0 [0112.057] CloseHandle (hObject=0x20c) returned 1 [0112.057] Sleep (dwMilliseconds=0x1) [0112.154] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0112.154] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a6c8, cbMultiByte=12, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="ccleaner.exesqlplussvc.exe") returned 12 [0112.156] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner.exe", cchWideChar=12, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0112.156] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0112.157] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0112.157] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0112.167] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.168] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.168] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.168] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0112.170] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner.exe\x0c", lpUsedDefaultChar=0x0) returned 12 [0112.170] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0112.170] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.170] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.171] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0112.171] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0112.171] GetLastError () returned 0x1f [0112.171] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0112.171] CloseHandle (hObject=0x210) returned 1 [0112.181] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0112.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0112.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0112.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0112.183] CloseHandle (hObject=0x210) returned 1 [0112.184] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.185] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0112.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0112.185] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0112.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0112.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0112.186] CloseHandle (hObject=0x210) returned 1 [0112.186] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0112.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.187] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.187] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0112.187] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0112.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0112.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0112.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0112.188] CloseHandle (hObject=0x210) returned 1 [0112.188] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0112.189] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.189] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.189] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0112.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0112.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0112.189] CloseHandle (hObject=0x210) returned 1 [0112.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0112.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0112.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0112.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0112.191] CloseHandle (hObject=0x210) returned 1 [0112.191] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0112.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.192] CloseHandle (hObject=0x210) returned 1 [0112.192] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0112.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0112.193] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0112.194] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0112.194] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0112.195] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.196] CloseHandle (hObject=0x210) returned 1 [0112.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0112.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0112.197] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0112.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.405] CloseHandle (hObject=0x210) returned 1 [0112.405] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.406] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.406] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0112.406] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.407] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.407] CloseHandle (hObject=0x210) returned 1 [0112.407] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.408] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.408] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0112.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.408] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.409] CloseHandle (hObject=0x210) returned 1 [0112.409] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.409] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.409] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0112.409] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.410] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.410] CloseHandle (hObject=0x210) returned 1 [0112.410] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.411] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.411] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.411] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0112.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.411] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.411] CloseHandle (hObject=0x210) returned 1 [0112.411] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0112.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.413] CloseHandle (hObject=0x210) returned 1 [0112.413] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.414] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.414] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.414] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0112.414] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.415] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.415] CloseHandle (hObject=0x210) returned 1 [0112.415] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.416] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.416] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0112.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.416] CloseHandle (hObject=0x210) returned 1 [0112.416] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.417] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0112.418] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.418] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.418] CloseHandle (hObject=0x210) returned 1 [0112.418] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.419] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0112.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.419] CloseHandle (hObject=0x210) returned 1 [0112.419] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.420] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.420] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0112.420] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.420] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.421] CloseHandle (hObject=0x210) returned 1 [0112.421] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0112.421] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.421] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.421] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0112.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0112.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0112.422] CloseHandle (hObject=0x210) returned 1 [0112.422] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0112.423] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.423] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.423] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0112.423] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0112.423] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0112.423] CloseHandle (hObject=0x210) returned 1 [0112.423] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0112.424] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.424] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0112.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0112.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0112.424] CloseHandle (hObject=0x210) returned 1 [0112.425] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.425] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.425] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.425] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0112.425] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.426] CloseHandle (hObject=0x210) returned 1 [0112.426] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0112.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.427] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0112.427] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0112.427] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0112.427] CloseHandle (hObject=0x210) returned 1 [0112.427] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0112.428] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0112.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0112.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62744, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0112.428] CloseHandle (hObject=0x210) returned 1 [0112.428] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0112.429] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.429] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.429] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0112.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0112.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0112.430] CloseHandle (hObject=0x210) returned 1 [0112.430] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0112.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0112.430] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0112.431] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0112.431] CloseHandle (hObject=0x210) returned 1 [0112.431] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0112.431] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.431] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.431] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0112.432] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0112.432] GetLastError () returned 0x1f [0112.432] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0112.432] CloseHandle (hObject=0x210) returned 1 [0112.448] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0112.449] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.576] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.576] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0112.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0112.577] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0112.577] CloseHandle (hObject=0x210) returned 1 [0112.577] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0112.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0112.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0112.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0112.579] CloseHandle (hObject=0x210) returned 1 [0112.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0112.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0112.580] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0112.580] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0112.580] CloseHandle (hObject=0x210) returned 1 [0112.580] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0112.581] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0112.581] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0112.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0112.582] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0112.583] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.583] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.583] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0112.583] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0112.584] CloseHandle (hObject=0x210) returned 1 [0112.584] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0112.585] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.585] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.585] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0112.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0112.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0112.585] CloseHandle (hObject=0x210) returned 1 [0112.585] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0112.586] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.586] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0112.586] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0112.587] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0112.587] CloseHandle (hObject=0x210) returned 1 [0112.587] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0112.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0112.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0112.588] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0112.589] CloseHandle (hObject=0x210) returned 1 [0112.589] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0112.590] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0112.590] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0112.590] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0112.591] CloseHandle (hObject=0x210) returned 1 [0112.591] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0112.591] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.591] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.592] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0112.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0112.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0112.592] CloseHandle (hObject=0x210) returned 1 [0112.592] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0112.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0112.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0112.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0112.594] CloseHandle (hObject=0x210) returned 1 [0112.594] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0112.595] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.595] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0112.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0112.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0112.595] CloseHandle (hObject=0x210) returned 1 [0112.595] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0112.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0112.596] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0112.597] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0112.597] CloseHandle (hObject=0x210) returned 1 [0112.597] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0112.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0112.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0112.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0112.598] CloseHandle (hObject=0x210) returned 1 [0112.598] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0112.599] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0112.599] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0112.600] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0112.600] CloseHandle (hObject=0x210) returned 1 [0112.600] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0112.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0112.601] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0112.601] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0112.601] CloseHandle (hObject=0x210) returned 1 [0112.601] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0112.602] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.602] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.602] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0112.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0112.603] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0112.603] CloseHandle (hObject=0x210) returned 1 [0112.603] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0112.604] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.605] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0112.605] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0112.605] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0112.605] CloseHandle (hObject=0x210) returned 1 [0112.606] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0112.606] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.606] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.607] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0112.607] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0112.607] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0112.607] CloseHandle (hObject=0x210) returned 1 [0112.607] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0112.608] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0112.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0112.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0112.609] CloseHandle (hObject=0x210) returned 1 [0112.609] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0112.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.610] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0112.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0112.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0112.610] CloseHandle (hObject=0x210) returned 1 [0112.610] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0112.611] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.611] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.611] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0112.611] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0112.611] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0112.612] CloseHandle (hObject=0x210) returned 1 [0112.612] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0112.613] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.613] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.613] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0112.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0112.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0112.613] CloseHandle (hObject=0x210) returned 1 [0112.613] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0112.615] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.615] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.615] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0112.615] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.615] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.615] CloseHandle (hObject=0x210) returned 1 [0112.615] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0112.617] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.617] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.617] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0112.617] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0112.617] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0112.617] CloseHandle (hObject=0x210) returned 1 [0112.618] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0112.619] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.619] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.619] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0112.619] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.619] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.619] CloseHandle (hObject=0x210) returned 1 [0112.620] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0112.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.708] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.708] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0112.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0112.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0112.708] CloseHandle (hObject=0x210) returned 1 [0112.708] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0112.710] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0112.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0112.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0112.710] CloseHandle (hObject=0x210) returned 1 [0112.711] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0112.712] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.712] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.712] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0112.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.712] CloseHandle (hObject=0x210) returned 1 [0112.713] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0112.714] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.714] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.714] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0112.714] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0112.715] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0112.715] CloseHandle (hObject=0x210) returned 1 [0112.715] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0112.716] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.716] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.716] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0112.716] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0112.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0112.717] CloseHandle (hObject=0x210) returned 1 [0112.717] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0112.718] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.718] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.718] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0112.718] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0112.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0112.719] CloseHandle (hObject=0x210) returned 1 [0112.719] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0112.720] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.720] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.720] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0112.720] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0112.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0112.721] CloseHandle (hObject=0x210) returned 1 [0112.721] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0112.722] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.722] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.722] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0112.722] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0112.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0112.723] CloseHandle (hObject=0x210) returned 1 [0112.723] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0112.724] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.725] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.725] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0112.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0112.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0112.725] CloseHandle (hObject=0x210) returned 1 [0112.725] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0112.727] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.727] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.727] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0112.727] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0112.727] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0112.727] CloseHandle (hObject=0x210) returned 1 [0112.727] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0112.729] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.729] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.729] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0112.729] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.729] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.729] CloseHandle (hObject=0x210) returned 1 [0112.730] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0112.752] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.752] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.752] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0112.752] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.753] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.753] CloseHandle (hObject=0x210) returned 1 [0112.753] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0112.754] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.754] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.754] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0112.755] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0112.755] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0112.755] CloseHandle (hObject=0x210) returned 1 [0112.755] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0112.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.757] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0112.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0112.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0112.757] CloseHandle (hObject=0x210) returned 1 [0112.757] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0112.758] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.759] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.759] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0112.759] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0112.759] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0112.759] CloseHandle (hObject=0x210) returned 1 [0112.759] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0112.760] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0112.761] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0112.761] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0112.897] CloseHandle (hObject=0x210) returned 1 [0112.897] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0112.898] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0112.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.898] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.899] CloseHandle (hObject=0x210) returned 1 [0112.899] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0112.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.900] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.900] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0112.900] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0112.900] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0112.901] CloseHandle (hObject=0x210) returned 1 [0112.901] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0112.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0112.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.903] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0112.903] CloseHandle (hObject=0x210) returned 1 [0112.903] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0112.904] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.904] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.904] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0112.904] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0112.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0112.905] CloseHandle (hObject=0x210) returned 1 [0112.905] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0112.906] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.906] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.906] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0112.906] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0112.907] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0112.907] CloseHandle (hObject=0x210) returned 1 [0112.907] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0112.908] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.908] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.908] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0112.908] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0112.909] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0112.909] CloseHandle (hObject=0x210) returned 1 [0112.909] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0112.910] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.910] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.910] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0112.910] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0112.911] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0112.911] CloseHandle (hObject=0x210) returned 1 [0112.911] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0112.912] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.912] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.912] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0112.912] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0112.913] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0112.913] CloseHandle (hObject=0x210) returned 1 [0112.913] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0112.915] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.915] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.915] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0112.915] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0112.915] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0112.915] CloseHandle (hObject=0x210) returned 1 [0112.915] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0112.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.917] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.917] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0112.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0112.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0112.918] CloseHandle (hObject=0x210) returned 1 [0112.918] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0112.919] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.919] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.919] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0112.919] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0112.920] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0112.920] CloseHandle (hObject=0x210) returned 1 [0112.920] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0112.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0112.921] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0112.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0112.922] CloseHandle (hObject=0x210) returned 1 [0112.922] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0112.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.923] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.923] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0112.923] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0112.923] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0112.924] CloseHandle (hObject=0x210) returned 1 [0112.924] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0112.925] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.925] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.925] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0112.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0112.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0112.926] CloseHandle (hObject=0x210) returned 1 [0112.926] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0112.927] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.927] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.927] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0112.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0112.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0112.927] CloseHandle (hObject=0x210) returned 1 [0112.928] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0112.929] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.929] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.929] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0112.929] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0112.929] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0112.929] CloseHandle (hObject=0x210) returned 1 [0112.929] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0112.931] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0112.931] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0112.931] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0112.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0112.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0112.931] CloseHandle (hObject=0x210) returned 1 [0112.931] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0113.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0113.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0113.089] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0113.089] CloseHandle (hObject=0x210) returned 1 [0113.089] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0113.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0113.090] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0113.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0113.091] CloseHandle (hObject=0x210) returned 1 [0113.091] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0113.092] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.092] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.092] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0113.092] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0113.092] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0113.092] CloseHandle (hObject=0x210) returned 1 [0113.092] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0113.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0113.094] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0113.094] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0113.094] CloseHandle (hObject=0x210) returned 1 [0113.094] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0113.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0113.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0113.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0113.095] CloseHandle (hObject=0x210) returned 1 [0113.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0113.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0113.096] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0113.097] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0113.097] CloseHandle (hObject=0x210) returned 1 [0113.097] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0113.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0113.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0113.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0113.098] CloseHandle (hObject=0x210) returned 1 [0113.098] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0113.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0113.099] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0113.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0113.100] CloseHandle (hObject=0x210) returned 1 [0113.100] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0113.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0113.101] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0113.101] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0113.101] CloseHandle (hObject=0x210) returned 1 [0113.101] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0113.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0113.103] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0113.103] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0113.103] CloseHandle (hObject=0x210) returned 1 [0113.103] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0113.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0113.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0113.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0113.104] CloseHandle (hObject=0x210) returned 1 [0113.105] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0113.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0113.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0113.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0113.106] CloseHandle (hObject=0x210) returned 1 [0113.106] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0113.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0113.107] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0113.107] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0113.108] CloseHandle (hObject=0x210) returned 1 [0113.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0113.108] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0113.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0113.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0113.109] CloseHandle (hObject=0x210) returned 1 [0113.109] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0113.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.110] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.110] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0113.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0113.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0113.111] CloseHandle (hObject=0x210) returned 1 [0113.111] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0113.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0113.112] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0113.112] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0113.112] CloseHandle (hObject=0x210) returned 1 [0113.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0113.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0113.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0113.114] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0113.114] CloseHandle (hObject=0x210) returned 1 [0113.114] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0113.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0113.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0113.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0113.115] CloseHandle (hObject=0x210) returned 1 [0113.116] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0113.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0113.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0113.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0113.118] CloseHandle (hObject=0x210) returned 1 [0113.118] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0113.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0113.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0113.119] CloseHandle (hObject=0x210) returned 1 [0113.119] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0113.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0113.229] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0113.229] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0113.229] CloseHandle (hObject=0x210) returned 1 [0113.229] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0113.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0113.231] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0113.231] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0113.231] CloseHandle (hObject=0x210) returned 1 [0113.231] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0113.232] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.232] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.232] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0113.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0113.232] GetLastError () returned 0x1f [0113.232] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0113.232] CloseHandle (hObject=0x210) returned 1 [0113.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.245] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.245] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0113.245] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.245] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.245] CloseHandle (hObject=0x210) returned 1 [0113.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0113.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0113.246] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0113.247] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0113.247] CloseHandle (hObject=0x210) returned 1 [0113.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0113.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0113.248] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0113.248] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0113.248] CloseHandle (hObject=0x210) returned 1 [0113.248] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0113.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.249] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.249] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0113.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0113.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0113.250] CloseHandle (hObject=0x210) returned 1 [0113.250] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0113.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.250] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0113.250] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0113.251] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0113.251] CloseHandle (hObject=0x210) returned 1 [0113.251] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0113.251] CloseHandle (hObject=0x20c) returned 1 [0113.252] Sleep (dwMilliseconds=0x1) [0113.340] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0113.340] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a6e8, cbMultiByte=14, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="ccleaner64.exelplussvc.exe") returned 14 [0113.342] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexe", lpUsedDefaultChar=0x0) returned 14 [0113.342] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0113.343] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe64.exexe", lpUsedDefaultChar=0x0) returned 12 [0113.343] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0113.524] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0113.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0113.527] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exe", lpUsedDefaultChar=0x0) returned 14 [0113.527] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0113.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0113.528] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0113.528] GetLastError () returned 0x1f [0113.528] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0113.528] CloseHandle (hObject=0x210) returned 1 [0113.537] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0113.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0113.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0113.539] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0113.539] CloseHandle (hObject=0x210) returned 1 [0113.539] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0113.540] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0113.541] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.541] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.541] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0113.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0113.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0113.541] CloseHandle (hObject=0x210) returned 1 [0113.542] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0113.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0113.543] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0113.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0113.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0113.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0113.544] CloseHandle (hObject=0x210) returned 1 [0113.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0113.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0113.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0113.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0113.546] CloseHandle (hObject=0x210) returned 1 [0113.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0113.549] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexe", lpUsedDefaultChar=0x0) returned 14 [0113.549] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0113.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0113.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0113.551] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0113.551] CloseHandle (hObject=0x210) returned 1 [0113.552] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exeexe", lpUsedDefaultChar=0x0) returned 9 [0113.554] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexe", lpUsedDefaultChar=0x0) returned 14 [0113.554] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.555] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.555] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.555] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0113.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.555] CloseHandle (hObject=0x210) returned 1 [0113.557] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0113.691] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeee", lpUsedDefaultChar=0x0) returned 14 [0113.691] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0113.692] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.692] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.692] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0113.694] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0113.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeee", lpUsedDefaultChar=0x0) returned 14 [0113.695] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0113.696] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.696] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.696] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0113.698] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0113.698] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0113.699] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.701] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.701] CloseHandle (hObject=0x210) returned 1 [0113.702] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0113.703] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.703] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0113.703] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.704] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0113.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.705] CloseHandle (hObject=0x210) returned 1 [0113.705] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.705] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.705] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0113.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.706] CloseHandle (hObject=0x210) returned 1 [0113.706] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.707] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.707] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0113.707] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.707] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.708] CloseHandle (hObject=0x210) returned 1 [0113.708] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.708] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.708] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0113.709] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.709] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.709] CloseHandle (hObject=0x210) returned 1 [0113.709] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.710] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0113.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.711] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.711] CloseHandle (hObject=0x210) returned 1 [0113.711] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.712] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.712] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.712] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0113.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.712] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.712] CloseHandle (hObject=0x210) returned 1 [0113.712] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.713] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.713] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.713] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0113.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.714] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.714] CloseHandle (hObject=0x210) returned 1 [0113.714] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.715] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.715] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.715] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0113.715] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.715] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.716] CloseHandle (hObject=0x210) returned 1 [0113.716] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.716] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.717] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.717] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0113.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.717] CloseHandle (hObject=0x210) returned 1 [0113.717] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.718] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.718] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.718] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0113.718] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.719] CloseHandle (hObject=0x210) returned 1 [0113.719] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.720] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.720] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.720] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0113.720] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.720] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.720] CloseHandle (hObject=0x210) returned 1 [0113.720] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0113.721] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.721] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0113.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0113.722] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0113.722] CloseHandle (hObject=0x210) returned 1 [0113.722] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0113.723] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.723] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.723] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0113.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0113.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0113.723] CloseHandle (hObject=0x210) returned 1 [0113.723] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0113.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.902] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0113.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0113.902] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0113.904] CloseHandle (hObject=0x210) returned 1 [0113.904] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.905] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.905] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.905] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0113.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.905] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.905] CloseHandle (hObject=0x210) returned 1 [0113.910] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0113.911] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.911] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.911] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0113.912] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0113.912] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0113.912] CloseHandle (hObject=0x210) returned 1 [0113.914] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhostw.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhostw.exee", lpUsedDefaultChar=0x0) returned 13 [0113.916] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeexee", lpUsedDefaultChar=0x0) returned 14 [0113.916] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0113.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.917] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.917] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0113.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0113.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0113.917] CloseHandle (hObject=0x210) returned 1 [0113.919] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeee", lpUsedDefaultChar=0x0) returned 12 [0113.921] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexeee", lpUsedDefaultChar=0x0) returned 14 [0113.921] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0113.922] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.922] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.922] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0113.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0113.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0113.922] CloseHandle (hObject=0x210) returned 1 [0113.925] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exee", lpUsedDefaultChar=0x0) returned 20 [0113.927] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exekToRun.exee", lpUsedDefaultChar=0x0) returned 14 [0113.927] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0113.927] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.928] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.928] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0113.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0113.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0113.928] CloseHandle (hObject=0x210) returned 1 [0113.932] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SecurityHealthService.exe", cchWideChar=25, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SecurityHealthService.exe.exe", lpUsedDefaultChar=0x0) returned 25 [0113.933] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0113.934] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.934] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.934] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0113.934] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0113.934] GetLastError () returned 0x1f [0113.934] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0113.934] CloseHandle (hObject=0x210) returned 1 [0113.935] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0113.935] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.935] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.935] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0113.936] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0113.936] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0113.936] CloseHandle (hObject=0x210) returned 1 [0113.936] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0113.937] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.937] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.937] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0113.937] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0113.937] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0113.938] CloseHandle (hObject=0x210) returned 1 [0113.938] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0113.938] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.939] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.939] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0113.939] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0113.939] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0113.939] CloseHandle (hObject=0x210) returned 1 [0113.939] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0113.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.940] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.940] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0113.940] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0113.941] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.941] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.941] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0113.941] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0113.942] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0113.942] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0113.942] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0113.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0113.943] CloseHandle (hObject=0x210) returned 1 [0113.943] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0114.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.069] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.069] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0114.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0114.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0114.069] CloseHandle (hObject=0x210) returned 1 [0114.069] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0114.071] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.071] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.071] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0114.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0114.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0114.071] CloseHandle (hObject=0x210) returned 1 [0114.071] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0114.072] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.072] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.072] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0114.072] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0114.073] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0114.073] CloseHandle (hObject=0x210) returned 1 [0114.073] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0114.074] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.074] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.074] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0114.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0114.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0114.074] CloseHandle (hObject=0x210) returned 1 [0114.075] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0114.075] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.075] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.075] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0114.075] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0114.076] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0114.076] CloseHandle (hObject=0x210) returned 1 [0114.076] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0114.077] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.077] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.077] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0114.077] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0114.077] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0114.078] CloseHandle (hObject=0x210) returned 1 [0114.078] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0114.078] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.078] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.078] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0114.079] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0114.079] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0114.079] CloseHandle (hObject=0x210) returned 1 [0114.079] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0114.080] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.080] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0114.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0114.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0114.081] CloseHandle (hObject=0x210) returned 1 [0114.081] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0114.081] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.082] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.082] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0114.082] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0114.082] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0114.082] CloseHandle (hObject=0x210) returned 1 [0114.082] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0114.083] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.083] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.083] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0114.083] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0114.084] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0114.084] CloseHandle (hObject=0x210) returned 1 [0114.084] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0114.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0114.085] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0114.085] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0114.085] CloseHandle (hObject=0x210) returned 1 [0114.085] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0114.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0114.087] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0114.087] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0114.087] CloseHandle (hObject=0x210) returned 1 [0114.087] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0114.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0114.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0114.088] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0114.089] CloseHandle (hObject=0x210) returned 1 [0114.089] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0114.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0114.090] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0114.090] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0114.090] CloseHandle (hObject=0x210) returned 1 [0114.090] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0114.091] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0114.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0114.091] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0114.092] CloseHandle (hObject=0x210) returned 1 [0114.092] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0114.093] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.093] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.093] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0114.093] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0114.093] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0114.093] CloseHandle (hObject=0x210) returned 1 [0114.093] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0114.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0114.094] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0114.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0114.095] CloseHandle (hObject=0x210) returned 1 [0114.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0114.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0114.096] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0114.096] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0114.096] CloseHandle (hObject=0x210) returned 1 [0114.096] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0114.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.098] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0114.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.098] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.098] CloseHandle (hObject=0x210) returned 1 [0114.099] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0114.100] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.100] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0114.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0114.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0114.100] CloseHandle (hObject=0x210) returned 1 [0114.101] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0114.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0114.240] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.241] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.241] CloseHandle (hObject=0x210) returned 1 [0114.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0114.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0114.243] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0114.243] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0114.243] CloseHandle (hObject=0x210) returned 1 [0114.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0114.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.245] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.245] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0114.245] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0114.245] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0114.245] CloseHandle (hObject=0x210) returned 1 [0114.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0114.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0114.247] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.247] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.247] CloseHandle (hObject=0x210) returned 1 [0114.248] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0114.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.249] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.249] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0114.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0114.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0114.250] CloseHandle (hObject=0x210) returned 1 [0114.250] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0114.251] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0114.251] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0114.252] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0114.252] CloseHandle (hObject=0x210) returned 1 [0114.252] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0114.253] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0114.253] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0114.254] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0114.254] CloseHandle (hObject=0x210) returned 1 [0114.254] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0114.255] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.255] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.255] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0114.255] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0114.256] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0114.256] CloseHandle (hObject=0x210) returned 1 [0114.256] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0114.257] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0114.258] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0114.258] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0114.259] CloseHandle (hObject=0x210) returned 1 [0114.259] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0114.260] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.260] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0114.260] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0114.260] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0114.261] CloseHandle (hObject=0x210) returned 1 [0114.261] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0114.262] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.262] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.262] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0114.262] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0114.263] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0114.263] CloseHandle (hObject=0x210) returned 1 [0114.263] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0114.264] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0114.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.267] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.267] CloseHandle (hObject=0x210) returned 1 [0114.267] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0114.268] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.268] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.268] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0114.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.269] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.269] CloseHandle (hObject=0x210) returned 1 [0114.269] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0114.270] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.270] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.270] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0114.270] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0114.271] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0114.271] CloseHandle (hObject=0x210) returned 1 [0114.271] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0114.272] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.272] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.272] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0114.272] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0114.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0114.273] CloseHandle (hObject=0x210) returned 1 [0114.414] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0114.416] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.416] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0114.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0114.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0114.417] CloseHandle (hObject=0x210) returned 1 [0114.417] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0114.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0114.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0114.419] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0114.419] CloseHandle (hObject=0x210) returned 1 [0114.420] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0114.421] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.421] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.421] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0114.421] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.422] CloseHandle (hObject=0x210) returned 1 [0114.422] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0114.423] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.423] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0114.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0114.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0114.424] CloseHandle (hObject=0x210) returned 1 [0114.424] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0114.426] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.426] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.426] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0114.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0114.427] CloseHandle (hObject=0x210) returned 1 [0114.427] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0114.428] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0114.428] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0114.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0114.429] CloseHandle (hObject=0x210) returned 1 [0114.429] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0114.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0114.431] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0114.431] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0114.431] CloseHandle (hObject=0x210) returned 1 [0114.431] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0114.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.433] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0114.433] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0114.436] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0114.436] CloseHandle (hObject=0x210) returned 1 [0114.436] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0114.437] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.437] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.437] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0114.438] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0114.438] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0114.438] CloseHandle (hObject=0x210) returned 1 [0114.438] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0114.439] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.445] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.445] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0114.445] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0114.446] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0114.446] CloseHandle (hObject=0x210) returned 1 [0114.446] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0114.447] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.447] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0114.447] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0114.448] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0114.448] CloseHandle (hObject=0x210) returned 1 [0114.448] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0114.449] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.449] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0114.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0114.450] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0114.450] CloseHandle (hObject=0x210) returned 1 [0114.450] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0114.451] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.452] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0114.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0114.452] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0114.452] CloseHandle (hObject=0x210) returned 1 [0114.452] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0114.453] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0114.454] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0114.454] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0114.454] CloseHandle (hObject=0x210) returned 1 [0114.454] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0114.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.456] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.456] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0114.456] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0114.456] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0114.456] CloseHandle (hObject=0x210) returned 1 [0114.456] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0114.458] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.458] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.458] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0114.458] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0114.458] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0114.458] CloseHandle (hObject=0x210) returned 1 [0114.458] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0114.460] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.460] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.460] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0114.460] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0114.460] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0114.460] CloseHandle (hObject=0x210) returned 1 [0114.460] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0114.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0114.528] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0114.529] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0114.529] CloseHandle (hObject=0x210) returned 1 [0114.529] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0114.530] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.530] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.530] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0114.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0114.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0114.531] CloseHandle (hObject=0x210) returned 1 [0114.531] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0114.532] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.533] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0114.533] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0114.533] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0114.533] CloseHandle (hObject=0x210) returned 1 [0114.533] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0114.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0114.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0114.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0114.535] CloseHandle (hObject=0x210) returned 1 [0114.535] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0114.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.538] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.538] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0114.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0114.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0114.538] CloseHandle (hObject=0x210) returned 1 [0114.539] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0114.540] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0114.540] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0114.541] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0114.541] CloseHandle (hObject=0x210) returned 1 [0114.541] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0114.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0114.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0114.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0114.543] CloseHandle (hObject=0x210) returned 1 [0114.543] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0114.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.544] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.544] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0114.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0114.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0114.545] CloseHandle (hObject=0x210) returned 1 [0114.545] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0114.546] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0114.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0114.547] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0114.547] CloseHandle (hObject=0x210) returned 1 [0114.547] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0114.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.548] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.548] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0114.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0114.549] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0114.549] CloseHandle (hObject=0x210) returned 1 [0114.549] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0114.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0114.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0114.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0114.551] CloseHandle (hObject=0x210) returned 1 [0114.551] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0114.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.552] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.552] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0114.552] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0114.552] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0114.553] CloseHandle (hObject=0x210) returned 1 [0114.553] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0114.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0114.554] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0114.554] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0114.555] CloseHandle (hObject=0x210) returned 1 [0114.555] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0114.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0114.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0114.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0114.557] CloseHandle (hObject=0x210) returned 1 [0114.557] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0114.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0114.558] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0114.558] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0114.559] CloseHandle (hObject=0x210) returned 1 [0114.559] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0114.608] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0114.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0114.608] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0114.609] CloseHandle (hObject=0x210) returned 1 [0114.609] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0114.610] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.610] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0114.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0114.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0114.611] CloseHandle (hObject=0x210) returned 1 [0114.611] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0114.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0114.612] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0114.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0114.613] CloseHandle (hObject=0x210) returned 1 [0114.613] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0114.614] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.614] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.614] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0114.614] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0114.614] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0114.615] CloseHandle (hObject=0x210) returned 1 [0114.615] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0114.616] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.616] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.616] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0114.616] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0114.616] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0114.617] CloseHandle (hObject=0x210) returned 1 [0114.617] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0114.630] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.630] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.630] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0114.631] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0114.631] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0114.631] CloseHandle (hObject=0x210) returned 1 [0114.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0114.633] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0114.633] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0114.633] CloseHandle (hObject=0x210) returned 1 [0114.633] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0114.644] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0114.645] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0114.645] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0114.645] CloseHandle (hObject=0x210) returned 1 [0114.645] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0114.646] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.646] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0114.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0114.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0114.647] CloseHandle (hObject=0x210) returned 1 [0114.647] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0114.648] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.648] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.648] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0114.648] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0114.648] GetLastError () returned 0x1f [0114.649] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0114.649] CloseHandle (hObject=0x210) returned 1 [0114.834] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0114.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.835] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0114.835] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0114.835] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0114.836] CloseHandle (hObject=0x210) returned 1 [0114.838] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exetionVerifier.exe", lpUsedDefaultChar=0x0) returned 11 [0114.840] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeetionVerifier.exe", lpUsedDefaultChar=0x0) returned 14 [0114.840] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0114.841] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.841] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.841] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0114.841] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0114.842] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0114.842] CloseHandle (hObject=0x210) returned 1 [0114.843] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WerFault.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WerFault.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 12 [0114.845] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexeionVerifier.exe", lpUsedDefaultChar=0x0) returned 14 [0114.845] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0114.846] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.846] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.846] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0114.847] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0114.847] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0114.847] CloseHandle (hObject=0x210) returned 1 [0114.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeionVerifier.exe", lpUsedDefaultChar=0x0) returned 12 [0114.851] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exexeionVerifier.exe", lpUsedDefaultChar=0x0) returned 14 [0114.851] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0114.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.852] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.852] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0114.852] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0114.852] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0114.853] CloseHandle (hObject=0x210) returned 1 [0114.854] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 11 [0114.856] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccleaner64.exe", cchWideChar=14, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccleaner64.exeeeionVerifier.exe", lpUsedDefaultChar=0x0) returned 14 [0114.856] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0114.857] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0114.857] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0114.857] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0114.858] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0114.858] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0114.858] CloseHandle (hObject=0x210) returned 1 [0114.860] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0114.860] CloseHandle (hObject=0x20c) returned 1 [0114.938] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0114.938] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x3597b0, cbMultiByte=11, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="dbeng50.exeexelplussvc.exe") returned 11 [0114.938] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0114.938] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0115.042] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0115.043] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.043] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.043] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0115.044] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0115.045] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.045] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.045] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0115.045] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0115.045] GetLastError () returned 0x1f [0115.045] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0115.045] CloseHandle (hObject=0x210) returned 1 [0115.060] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0115.062] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.062] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.062] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0115.062] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0115.062] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0115.063] CloseHandle (hObject=0x210) returned 1 [0115.063] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.063] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.064] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.064] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0115.064] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0115.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0115.065] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0115.065] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0115.065] CloseHandle (hObject=0x210) returned 1 [0115.066] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0115.066] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.067] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.067] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0115.067] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0115.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.068] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.068] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0115.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0115.068] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0115.068] CloseHandle (hObject=0x210) returned 1 [0115.068] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0115.069] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.070] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.070] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0115.070] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0115.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0115.190] CloseHandle (hObject=0x210) returned 1 [0115.190] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0115.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.191] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.191] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0115.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0115.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0115.192] CloseHandle (hObject=0x210) returned 1 [0115.192] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0115.193] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.194] CloseHandle (hObject=0x210) returned 1 [0115.194] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0115.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0115.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0115.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0115.197] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.198] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0115.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.199] CloseHandle (hObject=0x210) returned 1 [0115.199] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0115.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0115.200] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.201] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0115.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.202] CloseHandle (hObject=0x210) returned 1 [0115.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0115.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.204] CloseHandle (hObject=0x210) returned 1 [0115.204] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.205] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0115.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.206] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.206] CloseHandle (hObject=0x210) returned 1 [0115.206] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0115.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.208] CloseHandle (hObject=0x210) returned 1 [0115.208] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0115.209] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.210] CloseHandle (hObject=0x210) returned 1 [0115.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0115.211] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.212] CloseHandle (hObject=0x210) returned 1 [0115.212] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0115.213] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.214] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.214] CloseHandle (hObject=0x210) returned 1 [0115.214] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0115.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.216] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.216] CloseHandle (hObject=0x210) returned 1 [0115.216] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0115.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.218] CloseHandle (hObject=0x210) returned 1 [0115.218] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0115.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.219] CloseHandle (hObject=0x210) returned 1 [0115.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0115.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.221] CloseHandle (hObject=0x210) returned 1 [0115.221] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0115.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0115.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0115.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0115.223] CloseHandle (hObject=0x210) returned 1 [0115.223] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0115.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0115.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0115.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0115.225] CloseHandle (hObject=0x210) returned 1 [0115.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0115.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0115.333] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0115.333] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0115.333] CloseHandle (hObject=0x210) returned 1 [0115.333] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.334] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.335] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.335] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0115.335] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.335] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.335] CloseHandle (hObject=0x210) returned 1 [0115.335] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0115.336] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.336] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.336] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0115.337] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0115.337] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0115.337] CloseHandle (hObject=0x210) returned 1 [0115.337] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0115.338] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.338] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0115.338] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0115.339] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0115.339] CloseHandle (hObject=0x210) returned 1 [0115.339] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0115.340] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.340] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.340] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0115.340] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0115.340] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0115.341] CloseHandle (hObject=0x210) returned 1 [0115.341] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0115.342] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.342] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0115.342] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0115.342] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0115.343] CloseHandle (hObject=0x210) returned 1 [0115.343] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0115.344] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.344] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0115.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0115.344] GetLastError () returned 0x1f [0115.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0115.344] CloseHandle (hObject=0x210) returned 1 [0115.412] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0115.413] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.413] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.413] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0115.413] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0115.414] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0115.414] CloseHandle (hObject=0x210) returned 1 [0115.414] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0115.415] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.415] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.415] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0115.415] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0115.416] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0115.416] CloseHandle (hObject=0x210) returned 1 [0115.416] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0115.417] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.417] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.417] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0115.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0115.417] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0115.417] CloseHandle (hObject=0x210) returned 1 [0115.418] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0115.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.418] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0115.419] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0115.419] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.419] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.419] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0115.420] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0115.420] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.420] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0115.421] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.421] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0115.421] CloseHandle (hObject=0x210) returned 1 [0115.421] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0115.422] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.422] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.422] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0115.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0115.422] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0115.423] CloseHandle (hObject=0x210) returned 1 [0115.423] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0115.423] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.424] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0115.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0115.424] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0115.424] CloseHandle (hObject=0x210) returned 1 [0115.424] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0115.425] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.425] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.425] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0115.425] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0115.426] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0115.426] CloseHandle (hObject=0x210) returned 1 [0115.426] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0115.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.427] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0115.427] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0115.427] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0115.427] CloseHandle (hObject=0x210) returned 1 [0115.428] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0115.428] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0115.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0115.429] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0115.429] CloseHandle (hObject=0x210) returned 1 [0115.429] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0115.524] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.524] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.524] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0115.525] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0115.525] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0115.525] CloseHandle (hObject=0x210) returned 1 [0115.525] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0115.526] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.526] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.526] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0115.526] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0115.527] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0115.527] CloseHandle (hObject=0x210) returned 1 [0115.527] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0115.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0115.528] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0115.528] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0115.528] CloseHandle (hObject=0x210) returned 1 [0115.528] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0115.529] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.529] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.529] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0115.529] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0115.529] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0115.530] CloseHandle (hObject=0x210) returned 1 [0115.530] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0115.531] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.531] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.531] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0115.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0115.531] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0115.531] CloseHandle (hObject=0x210) returned 1 [0115.531] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0115.532] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.532] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0115.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0115.533] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0115.533] CloseHandle (hObject=0x210) returned 1 [0115.533] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0115.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.534] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.534] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0115.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0115.534] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0115.535] CloseHandle (hObject=0x210) returned 1 [0115.535] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0115.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.536] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.536] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0115.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0115.536] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0115.536] CloseHandle (hObject=0x210) returned 1 [0115.536] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0115.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0115.537] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0115.538] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0115.538] CloseHandle (hObject=0x210) returned 1 [0115.538] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0115.544] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0115.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0115.545] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0115.545] CloseHandle (hObject=0x210) returned 1 [0115.550] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="transmission discovered famous.exe", cchWideChar=34, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="transmission discovered famous.exe", lpUsedDefaultChar=0x0) returned 34 [0115.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exession discovered famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.551] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0115.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.552] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.552] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0115.552] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0115.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0115.553] CloseHandle (hObject=0x210) returned 1 [0115.554] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="hacker.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hacker.exeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 10 [0115.558] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.558] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0115.559] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.559] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.559] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0115.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0115.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0115.560] CloseHandle (hObject=0x210) returned 1 [0115.561] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="death.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="death.exeeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 9 [0115.563] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exexeeon discovered famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.563] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0115.564] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.564] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.564] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0115.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0115.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0115.565] CloseHandle (hObject=0x210) returned 1 [0115.567] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ko_ferrari_inspired.exe", cchWideChar=23, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ko_ferrari_inspired.exe famous.exe", lpUsedDefaultChar=0x0) returned 23 [0115.568] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0115.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0115.570] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.570] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.621] CloseHandle (hObject=0x210) returned 1 [0115.621] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0115.622] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.623] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.623] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0115.623] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0115.623] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0115.623] CloseHandle (hObject=0x210) returned 1 [0115.623] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0115.625] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.625] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.625] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0115.625] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.625] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.626] CloseHandle (hObject=0x210) returned 1 [0115.626] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0115.627] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.627] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.627] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0115.627] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0115.628] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0115.628] CloseHandle (hObject=0x210) returned 1 [0115.628] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0115.629] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.629] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.629] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0115.630] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0115.630] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0115.630] CloseHandle (hObject=0x210) returned 1 [0115.630] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0115.632] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.632] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.632] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0115.632] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.632] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.632] CloseHandle (hObject=0x210) returned 1 [0115.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0115.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0115.634] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0115.634] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0115.635] CloseHandle (hObject=0x210) returned 1 [0115.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0115.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.636] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0115.636] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0115.637] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0115.637] CloseHandle (hObject=0x210) returned 1 [0115.637] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0115.638] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0115.639] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0115.639] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0115.639] CloseHandle (hObject=0x210) returned 1 [0115.639] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0115.640] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.641] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0115.641] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0115.641] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0115.641] CloseHandle (hObject=0x210) returned 1 [0115.641] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0115.643] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0115.643] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0115.643] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0115.643] CloseHandle (hObject=0x210) returned 1 [0115.643] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0115.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.645] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0115.645] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0115.645] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0115.645] CloseHandle (hObject=0x210) returned 1 [0115.646] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0115.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.647] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0115.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0115.647] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0115.648] CloseHandle (hObject=0x210) returned 1 [0115.648] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0115.649] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.650] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.650] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0115.650] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.650] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.650] CloseHandle (hObject=0x210) returned 1 [0115.650] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0115.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0115.652] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.652] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.652] CloseHandle (hObject=0x210) returned 1 [0115.652] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0115.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0115.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0115.654] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0115.655] CloseHandle (hObject=0x210) returned 1 [0115.655] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0115.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0115.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0115.656] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0115.657] CloseHandle (hObject=0x210) returned 1 [0115.657] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0115.658] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.658] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.658] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0115.658] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0115.659] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0115.659] CloseHandle (hObject=0x210) returned 1 [0115.659] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0115.660] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.660] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0115.661] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0115.728] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0115.728] CloseHandle (hObject=0x210) returned 1 [0115.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pidgin.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgin.exeexepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0115.731] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeexepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.731] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0115.732] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.733] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.733] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0115.733] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.733] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.733] CloseHandle (hObject=0x210) returned 1 [0115.735] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="scriptftp.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scriptftp.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0115.736] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exetp.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.736] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0115.738] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.738] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0115.738] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0115.738] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0115.739] CloseHandle (hObject=0x210) returned 1 [0115.740] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0115.741] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exexe.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.741] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0115.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0115.756] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.757] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0115.757] CloseHandle (hObject=0x210) returned 1 [0115.759] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0115.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exep.exeepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.760] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0115.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0115.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0115.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0115.762] CloseHandle (hObject=0x210) returned 1 [0115.764] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0115.765] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0115.766] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.767] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.767] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0115.767] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0115.767] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0115.767] CloseHandle (hObject=0x210) returned 1 [0115.768] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0115.769] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.769] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0115.769] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0115.770] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0115.770] CloseHandle (hObject=0x210) returned 1 [0115.770] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0115.771] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.771] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.771] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0115.771] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0115.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0115.772] CloseHandle (hObject=0x210) returned 1 [0115.772] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0115.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.835] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0115.835] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0115.835] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0115.836] CloseHandle (hObject=0x210) returned 1 [0115.838] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0115.879] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exep.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.879] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0115.880] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.880] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.880] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0115.880] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0115.908] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0115.908] CloseHandle (hObject=0x210) returned 1 [0115.921] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0115.923] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.923] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0115.924] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.924] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.924] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0115.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0115.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0115.925] CloseHandle (hObject=0x210) returned 1 [0115.928] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0115.929] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.929] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0115.931] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.931] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.931] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0115.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0115.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0115.931] CloseHandle (hObject=0x210) returned 1 [0115.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0115.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.execharge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0115.935] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0115.936] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.937] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.937] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0115.937] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0115.937] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0115.937] CloseHandle (hObject=0x210) returned 1 [0115.939] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0115.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.940] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.940] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0115.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0115.941] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0115.941] CloseHandle (hObject=0x210) returned 1 [0115.941] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0115.943] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.943] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.943] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0115.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0115.943] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0115.943] CloseHandle (hObject=0x210) returned 1 [0115.943] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0115.945] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0115.945] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0115.945] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0115.945] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0116.012] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0116.013] CloseHandle (hObject=0x210) returned 1 [0116.013] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0116.014] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.014] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.014] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0116.014] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0116.015] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0116.015] CloseHandle (hObject=0x210) returned 1 [0116.015] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0116.016] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.016] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.016] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0116.016] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0116.017] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0116.018] CloseHandle (hObject=0x210) returned 1 [0116.062] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0116.064] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeervice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0116.064] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0116.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0116.065] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0116.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0116.066] CloseHandle (hObject=0x210) returned 1 [0116.067] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0116.069] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0116.069] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0116.070] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.070] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.070] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0116.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0116.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0116.071] CloseHandle (hObject=0x210) returned 1 [0116.072] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 8 [0116.074] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0116.074] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0116.075] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.075] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.075] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0116.075] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0116.076] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0116.076] CloseHandle (hObject=0x210) returned 1 [0116.077] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0116.078] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbeng50.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbeng50.exeexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0116.078] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0116.080] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.080] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0116.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0116.080] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0116.081] CloseHandle (hObject=0x210) returned 1 [0116.083] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=16, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 16 [0116.084] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0116.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0116.085] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0116.085] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0116.086] CloseHandle (hObject=0x210) returned 1 [0116.195] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0116.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0116.197] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0116.197] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0116.197] CloseHandle (hObject=0x210) returned 1 [0116.198] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0116.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0116.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0116.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0116.199] CloseHandle (hObject=0x210) returned 1 [0116.199] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0116.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0116.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0116.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0116.201] CloseHandle (hObject=0x210) returned 1 [0116.201] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0116.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0116.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0116.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0116.203] CloseHandle (hObject=0x210) returned 1 [0116.203] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0116.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0116.204] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0116.205] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0116.205] CloseHandle (hObject=0x210) returned 1 [0116.205] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0116.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0116.206] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0116.207] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0116.207] CloseHandle (hObject=0x210) returned 1 [0116.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0116.208] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.208] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0116.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0116.208] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0116.209] CloseHandle (hObject=0x210) returned 1 [0116.209] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0116.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0116.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0116.210] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0116.210] CloseHandle (hObject=0x210) returned 1 [0116.210] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0116.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.212] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0116.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0116.212] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0116.212] CloseHandle (hObject=0x210) returned 1 [0116.212] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0116.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0116.214] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0116.214] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0116.214] CloseHandle (hObject=0x210) returned 1 [0116.214] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0116.215] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.215] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.215] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0116.215] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0116.216] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0116.216] CloseHandle (hObject=0x210) returned 1 [0116.216] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0116.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0116.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0116.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0116.217] CloseHandle (hObject=0x210) returned 1 [0116.218] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0116.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0116.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0116.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0116.219] CloseHandle (hObject=0x210) returned 1 [0116.219] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0116.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0116.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0116.221] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0116.221] CloseHandle (hObject=0x210) returned 1 [0116.221] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0116.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0116.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0116.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0116.223] CloseHandle (hObject=0x210) returned 1 [0116.223] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0116.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0116.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0116.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0116.225] CloseHandle (hObject=0x210) returned 1 [0116.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0116.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0116.226] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0116.226] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0116.226] CloseHandle (hObject=0x210) returned 1 [0116.227] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0116.227] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.228] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0116.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0116.228] GetLastError () returned 0x1f [0116.228] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0116.228] CloseHandle (hObject=0x210) returned 1 [0116.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0116.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.244] CloseHandle (hObject=0x210) returned 1 [0116.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0116.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0116.302] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0116.303] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0116.303] CloseHandle (hObject=0x210) returned 1 [0116.303] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0116.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0116.304] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0116.304] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0116.305] CloseHandle (hObject=0x210) returned 1 [0116.305] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0116.306] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0116.306] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0116.306] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0116.306] CloseHandle (hObject=0x210) returned 1 [0116.307] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0116.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.308] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.308] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0116.308] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0116.308] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0116.308] CloseHandle (hObject=0x210) returned 1 [0116.308] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0116.309] CloseHandle (hObject=0x20c) returned 1 [0116.309] Sleep (dwMilliseconds=0x1) [0116.446] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0116.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x3597c8, cbMultiByte=10, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="dbsnmp.exeeexelplussvc.exe") returned 10 [0116.448] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0116.448] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0116.449] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exexest.exe", lpUsedDefaultChar=0x0) returned 12 [0116.449] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0116.462] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0116.462] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.463] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.463] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0116.464] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exe", lpUsedDefaultChar=0x0) returned 10 [0116.464] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0116.465] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0116.465] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0116.465] GetLastError () returned 0x1f [0116.465] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0116.465] CloseHandle (hObject=0x210) returned 1 [0116.574] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0116.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0116.575] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0116.576] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0116.576] CloseHandle (hObject=0x210) returned 1 [0116.576] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0116.577] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0116.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0116.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0116.578] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0116.579] CloseHandle (hObject=0x210) returned 1 [0116.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0116.579] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0116.580] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0116.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0116.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0116.581] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0116.581] CloseHandle (hObject=0x210) returned 1 [0116.581] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0116.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0116.582] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0116.583] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0116.583] CloseHandle (hObject=0x210) returned 1 [0116.583] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0116.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.584] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.584] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0116.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0116.584] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0116.584] CloseHandle (hObject=0x210) returned 1 [0116.584] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.585] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.585] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.585] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0116.585] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.586] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.586] CloseHandle (hObject=0x210) returned 1 [0116.586] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0116.587] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.587] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.587] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0116.587] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0116.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0116.588] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.589] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.589] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.589] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0116.589] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.589] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.590] CloseHandle (hObject=0x210) returned 1 [0116.590] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0116.590] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0116.591] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.591] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.591] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.591] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0116.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.592] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.592] CloseHandle (hObject=0x210) returned 1 [0116.592] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0116.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.593] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.594] CloseHandle (hObject=0x210) returned 1 [0116.594] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.594] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.595] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0116.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.595] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.595] CloseHandle (hObject=0x210) returned 1 [0116.595] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.596] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.596] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.596] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0116.596] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.597] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.597] CloseHandle (hObject=0x210) returned 1 [0116.597] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.598] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.598] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0116.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.598] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.598] CloseHandle (hObject=0x210) returned 1 [0116.598] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.599] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0116.599] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.600] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.600] CloseHandle (hObject=0x210) returned 1 [0116.600] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0116.601] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.602] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.602] CloseHandle (hObject=0x210) returned 1 [0116.603] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0116.605] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exet.exee", lpUsedDefaultChar=0x0) returned 10 [0116.605] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.606] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0116.606] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.606] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.606] CloseHandle (hObject=0x210) returned 1 [0116.607] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0116.608] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exet.exee", lpUsedDefaultChar=0x0) returned 10 [0116.608] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0116.609] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.610] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.610] CloseHandle (hObject=0x210) returned 1 [0116.611] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0116.612] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exet.exee", lpUsedDefaultChar=0x0) returned 10 [0116.612] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.613] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.613] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.613] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0116.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.613] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.614] CloseHandle (hObject=0x210) returned 1 [0116.615] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0116.616] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exet.exee", lpUsedDefaultChar=0x0) returned 10 [0116.616] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.617] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.712] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.712] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0116.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.713] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.713] CloseHandle (hObject=0x210) returned 1 [0116.715] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0116.716] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exet.exee", lpUsedDefaultChar=0x0) returned 10 [0116.716] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0116.716] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.717] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.717] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0116.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0116.717] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0116.717] CloseHandle (hObject=0x210) returned 1 [0116.718] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0116.719] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.719] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.719] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0116.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0116.719] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0116.719] CloseHandle (hObject=0x210) returned 1 [0116.720] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0116.720] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.721] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0116.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0116.721] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0116.721] CloseHandle (hObject=0x210) returned 1 [0116.721] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.722] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.722] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.722] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0116.722] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.722] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.722] CloseHandle (hObject=0x210) returned 1 [0116.722] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0116.723] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.723] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.723] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0116.723] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0116.724] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0116.724] CloseHandle (hObject=0x210) returned 1 [0116.724] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0116.724] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.725] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.725] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0116.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0116.725] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0116.725] CloseHandle (hObject=0x210) returned 1 [0116.725] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0116.726] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.726] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.726] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0116.726] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0116.726] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0116.727] CloseHandle (hObject=0x210) returned 1 [0116.727] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0116.727] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.727] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.727] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0116.727] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0116.728] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0116.728] CloseHandle (hObject=0x210) returned 1 [0116.728] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0116.729] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.729] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.729] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0116.729] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0116.729] GetLastError () returned 0x1f [0116.729] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0116.729] CloseHandle (hObject=0x210) returned 1 [0116.759] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0116.759] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.760] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.760] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0116.760] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0116.760] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0116.760] CloseHandle (hObject=0x210) returned 1 [0116.760] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0116.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0116.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0116.762] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0116.762] CloseHandle (hObject=0x210) returned 1 [0116.762] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0116.763] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.763] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.763] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0116.763] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0116.763] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0116.764] CloseHandle (hObject=0x210) returned 1 [0116.764] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0116.765] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.765] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.765] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0116.765] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0116.766] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.766] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.766] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0116.766] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0116.767] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.767] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.767] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0116.767] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.767] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0116.767] CloseHandle (hObject=0x210) returned 1 [0116.768] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0116.768] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.768] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.769] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0116.769] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0116.769] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0116.769] CloseHandle (hObject=0x210) returned 1 [0116.769] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0116.770] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.770] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.770] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0116.770] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0116.771] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0116.771] CloseHandle (hObject=0x210) returned 1 [0116.771] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0116.772] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.772] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.772] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0116.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0116.772] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0116.773] CloseHandle (hObject=0x210) returned 1 [0116.773] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0116.874] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.876] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0116.876] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0116.904] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0116.914] CloseHandle (hObject=0x210) returned 1 [0116.914] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0116.915] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.915] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.915] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0116.916] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0116.916] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0116.916] CloseHandle (hObject=0x210) returned 1 [0116.916] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0116.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.917] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.917] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0116.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0116.917] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0116.918] CloseHandle (hObject=0x210) returned 1 [0116.918] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0116.919] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.919] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.919] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0116.919] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0116.919] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0116.919] CloseHandle (hObject=0x210) returned 1 [0116.919] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0116.920] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.920] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.920] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0116.920] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0116.921] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0116.921] CloseHandle (hObject=0x210) returned 1 [0116.921] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0116.922] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.922] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.922] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0116.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0116.922] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0116.922] CloseHandle (hObject=0x210) returned 1 [0116.922] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0116.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.923] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.923] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0116.923] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0116.924] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0116.924] CloseHandle (hObject=0x210) returned 1 [0116.924] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0116.925] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.925] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.925] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0116.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0116.925] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0116.926] CloseHandle (hObject=0x210) returned 1 [0116.926] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0116.926] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.926] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.927] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0116.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0116.927] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0116.927] CloseHandle (hObject=0x210) returned 1 [0116.927] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0116.928] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.928] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.928] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0116.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0116.928] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0116.929] CloseHandle (hObject=0x210) returned 1 [0116.929] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0116.929] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.930] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.930] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0116.930] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0116.930] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0116.930] CloseHandle (hObject=0x210) returned 1 [0116.930] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0116.931] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.931] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.931] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0116.931] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0116.932] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0116.932] CloseHandle (hObject=0x210) returned 1 [0116.932] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0116.933] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.933] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.933] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0116.933] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0116.933] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0116.933] CloseHandle (hObject=0x210) returned 1 [0116.933] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0116.934] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.934] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.934] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0116.934] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0116.934] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0116.935] CloseHandle (hObject=0x210) returned 1 [0116.935] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0116.935] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.936] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.936] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0116.936] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0116.936] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0116.936] CloseHandle (hObject=0x210) returned 1 [0116.936] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0116.938] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.938] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.938] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0116.938] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0116.938] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0116.938] CloseHandle (hObject=0x210) returned 1 [0116.938] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0116.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.940] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.940] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0116.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0116.940] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0116.940] CloseHandle (hObject=0x210) returned 1 [0116.940] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0116.942] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.942] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.942] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0116.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0116.942] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0116.942] CloseHandle (hObject=0x210) returned 1 [0116.942] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0116.943] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0116.944] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0116.944] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0116.944] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0116.944] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0116.944] CloseHandle (hObject=0x210) returned 1 [0116.944] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0117.043] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.044] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.045] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0117.045] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0117.051] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0117.055] CloseHandle (hObject=0x210) returned 1 [0117.087] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0117.088] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeex.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.088] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0117.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0117.090] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.090] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.090] CloseHandle (hObject=0x210) returned 1 [0117.092] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0117.093] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exep.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.093] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0117.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0117.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0117.095] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0117.095] CloseHandle (hObject=0x210) returned 1 [0117.096] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0117.098] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exee.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.098] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0117.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0117.099] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0117.100] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0117.100] CloseHandle (hObject=0x210) returned 1 [0117.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0117.103] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exella.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.103] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0117.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0117.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0117.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0117.105] CloseHandle (hObject=0x210) returned 1 [0117.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0117.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exexp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0117.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0117.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0117.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0117.110] CloseHandle (hObject=0x210) returned 1 [0117.111] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0117.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0117.112] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0117.112] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0117.113] CloseHandle (hObject=0x210) returned 1 [0117.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0117.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0117.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0117.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0117.115] CloseHandle (hObject=0x210) returned 1 [0117.115] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0117.116] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0117.117] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0117.275] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0117.293] CloseHandle (hObject=0x210) returned 1 [0117.306] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exetifierpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0117.310] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeetifierpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.310] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0117.313] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.314] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.315] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0117.315] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.317] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.317] CloseHandle (hObject=0x210) returned 1 [0117.318] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0117.320] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exetp.exerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.320] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0117.322] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.322] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.322] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0117.322] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.323] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.323] CloseHandle (hObject=0x210) returned 1 [0117.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ncftp.exeexerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0117.325] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeexeexerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.325] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0117.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0117.327] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0117.328] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0117.328] CloseHandle (hObject=0x210) returned 1 [0117.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0117.331] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exed.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.331] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0117.332] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.332] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0117.332] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0117.333] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0117.333] CloseHandle (hObject=0x210) returned 1 [0117.335] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="operamail.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="operamail.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0117.336] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeail.exepro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.336] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0117.337] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.338] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0117.338] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0117.338] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0117.338] CloseHandle (hObject=0x210) returned 1 [0117.339] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0117.341] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0117.341] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0117.341] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0117.342] CloseHandle (hObject=0x210) returned 1 [0117.342] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0117.343] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.344] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0117.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.344] CloseHandle (hObject=0x210) returned 1 [0117.344] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0117.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.346] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0117.346] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0117.346] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0117.346] CloseHandle (hObject=0x210) returned 1 [0117.346] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0117.348] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.348] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.348] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0117.348] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.348] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0117.348] CloseHandle (hObject=0x210) returned 1 [0117.348] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0117.350] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.350] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.350] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0117.350] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0117.350] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0117.350] CloseHandle (hObject=0x210) returned 1 [0117.351] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0117.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.352] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.352] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0117.352] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0117.352] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0117.352] CloseHandle (hObject=0x210) returned 1 [0117.493] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0117.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0117.494] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0117.495] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0117.495] CloseHandle (hObject=0x210) returned 1 [0117.495] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0117.496] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.497] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.497] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0117.497] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0117.497] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0117.497] CloseHandle (hObject=0x210) returned 1 [0117.497] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0117.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0117.499] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0117.499] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0117.499] CloseHandle (hObject=0x210) returned 1 [0117.499] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0117.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.501] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0117.501] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0117.501] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0117.501] CloseHandle (hObject=0x210) returned 1 [0117.502] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0117.521] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.521] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.521] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0117.522] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0117.537] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0117.538] CloseHandle (hObject=0x210) returned 1 [0117.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0117.542] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.542] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0117.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0117.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0117.544] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0117.544] CloseHandle (hObject=0x210) returned 1 [0117.546] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0117.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exe-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.547] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0117.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0117.549] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0117.549] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0117.549] CloseHandle (hObject=0x210) returned 1 [0117.550] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0117.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exes.exege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.551] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0117.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.552] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.552] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0117.552] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0117.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0117.553] CloseHandle (hObject=0x210) returned 1 [0117.554] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afr38.exexege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0117.555] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dbsnmp.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dbsnmp.exeexexege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.555] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0117.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0117.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0117.557] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0117.557] CloseHandle (hObject=0x210) returned 1 [0117.558] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aldelo.exeege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0117.558] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0117.559] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.559] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.559] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0117.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0117.560] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0117.560] CloseHandle (hObject=0x210) returned 1 [0117.560] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0117.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.562] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0117.562] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0117.562] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0117.562] CloseHandle (hObject=0x210) returned 1 [0117.562] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0117.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0117.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0117.564] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0117.564] CloseHandle (hObject=0x210) returned 1 [0117.564] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0117.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0117.565] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0117.566] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0117.566] CloseHandle (hObject=0x210) returned 1 [0117.566] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0117.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0117.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0117.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0117.568] CloseHandle (hObject=0x210) returned 1 [0117.568] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0117.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0117.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0117.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0117.570] CloseHandle (hObject=0x210) returned 1 [0117.570] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0117.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0117.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0117.669] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0117.670] CloseHandle (hObject=0x210) returned 1 [0117.670] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0117.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0117.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0117.672] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0117.672] CloseHandle (hObject=0x210) returned 1 [0117.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0117.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0117.673] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0117.674] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0117.674] CloseHandle (hObject=0x210) returned 1 [0117.674] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0117.675] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.675] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.675] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0117.675] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0117.676] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0117.676] CloseHandle (hObject=0x210) returned 1 [0117.676] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0117.677] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.677] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.677] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0117.677] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0117.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0117.678] CloseHandle (hObject=0x210) returned 1 [0117.678] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0117.679] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.679] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.679] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0117.679] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0117.680] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0117.680] CloseHandle (hObject=0x210) returned 1 [0117.680] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0117.681] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0117.682] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0117.682] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0117.682] CloseHandle (hObject=0x210) returned 1 [0117.682] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0117.683] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.683] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.683] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0117.684] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0117.684] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0117.684] CloseHandle (hObject=0x210) returned 1 [0117.684] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0117.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.685] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.685] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0117.685] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0117.686] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0117.686] CloseHandle (hObject=0x210) returned 1 [0117.686] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0117.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0117.687] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0117.688] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0117.688] CloseHandle (hObject=0x210) returned 1 [0117.688] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0117.689] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.689] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.689] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0117.689] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0117.690] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0117.690] CloseHandle (hObject=0x210) returned 1 [0117.690] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0117.691] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.691] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0117.691] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0117.692] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0117.692] CloseHandle (hObject=0x210) returned 1 [0117.692] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0117.693] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.693] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0117.693] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0117.693] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0117.694] CloseHandle (hObject=0x210) returned 1 [0117.694] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0117.695] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.695] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0117.695] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0117.696] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0117.696] CloseHandle (hObject=0x210) returned 1 [0117.696] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0117.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0117.697] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0117.697] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0117.698] CloseHandle (hObject=0x210) returned 1 [0117.698] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0117.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0117.699] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0117.699] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0117.700] CloseHandle (hObject=0x210) returned 1 [0117.700] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0117.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.701] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.701] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0117.701] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0117.701] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0117.701] CloseHandle (hObject=0x210) returned 1 [0117.701] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0117.702] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.702] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.702] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0117.703] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0117.703] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0117.703] CloseHandle (hObject=0x210) returned 1 [0117.703] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0117.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.704] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0117.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0117.705] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0117.705] CloseHandle (hObject=0x210) returned 1 [0117.705] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0117.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0117.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0117.706] GetLastError () returned 0x1f [0117.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0117.706] CloseHandle (hObject=0x210) returned 1 [0117.831] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0117.832] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.832] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.832] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0117.832] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0117.833] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0117.833] CloseHandle (hObject=0x210) returned 1 [0117.833] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0117.834] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.834] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.834] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0117.834] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0117.834] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0117.835] CloseHandle (hObject=0x210) returned 1 [0117.835] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0117.836] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.838] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.838] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0117.838] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0117.838] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0117.838] CloseHandle (hObject=0x210) returned 1 [0117.838] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0117.839] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.839] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.839] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0117.839] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0117.839] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0117.839] CloseHandle (hObject=0x210) returned 1 [0117.840] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0117.840] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0117.840] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0117.840] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0117.841] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0117.841] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0117.841] CloseHandle (hObject=0x210) returned 1 [0117.841] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0117.842] CloseHandle (hObject=0x20c) returned 1 [0117.842] Sleep (dwMilliseconds=0x1) [0117.931] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0117.931] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x3597e0, cbMultiByte=10, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="encsvc.exeeexelplussvc.exe") returned 10 [0117.933] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exest.exe", lpUsedDefaultChar=0x0) returned 10 [0117.933] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0117.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exexest.exe", lpUsedDefaultChar=0x0) returned 12 [0117.934] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0118.048] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.049] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.049] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.049] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0118.050] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exe", lpUsedDefaultChar=0x0) returned 10 [0118.050] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.051] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.051] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.051] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0118.051] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0118.051] GetLastError () returned 0x1f [0118.051] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0118.051] CloseHandle (hObject=0x210) returned 1 [0118.062] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.063] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.063] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.063] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0118.063] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0118.064] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0118.064] CloseHandle (hObject=0x210) returned 1 [0118.064] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0118.065] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.066] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.066] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.066] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0118.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0118.066] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0118.067] CloseHandle (hObject=0x210) returned 1 [0118.067] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.068] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.068] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.068] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0118.068] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.069] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.069] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.069] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0118.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0118.069] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0118.069] CloseHandle (hObject=0x210) returned 1 [0118.069] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.070] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.071] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.071] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0118.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0118.071] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0118.071] CloseHandle (hObject=0x210) returned 1 [0118.071] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.072] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.072] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.072] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0118.072] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0118.073] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0118.073] CloseHandle (hObject=0x210) returned 1 [0118.073] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.074] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.074] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.074] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0118.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.074] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.075] CloseHandle (hObject=0x210) returned 1 [0118.075] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0118.075] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.076] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.076] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0118.076] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0118.076] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.077] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.077] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0118.077] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.078] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.078] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.078] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0118.078] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.078] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.078] CloseHandle (hObject=0x210) returned 1 [0118.078] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0118.079] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.079] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.079] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0118.079] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.080] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.080] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0118.081] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.081] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.081] CloseHandle (hObject=0x210) returned 1 [0118.081] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.082] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.082] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.082] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0118.082] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.082] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.083] CloseHandle (hObject=0x210) returned 1 [0118.083] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.084] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.084] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.084] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0118.084] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.084] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.084] CloseHandle (hObject=0x210) returned 1 [0118.084] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.085] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.085] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.085] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0118.086] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.181] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.181] CloseHandle (hObject=0x210) returned 1 [0118.181] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0118.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.182] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.183] CloseHandle (hObject=0x210) returned 1 [0118.183] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.183] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.183] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.183] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0118.183] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.184] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.184] CloseHandle (hObject=0x210) returned 1 [0118.184] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.185] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.185] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0118.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.185] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.185] CloseHandle (hObject=0x210) returned 1 [0118.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.186] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.186] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0118.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.186] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.186] CloseHandle (hObject=0x210) returned 1 [0118.186] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.187] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.187] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.187] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0118.187] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.187] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.188] CloseHandle (hObject=0x210) returned 1 [0118.188] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0118.188] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.189] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.189] CloseHandle (hObject=0x210) returned 1 [0118.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.189] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0118.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.190] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.190] CloseHandle (hObject=0x210) returned 1 [0118.190] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0118.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.191] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.191] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0118.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0118.191] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0118.191] CloseHandle (hObject=0x210) returned 1 [0118.191] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0118.192] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.192] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0118.192] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0118.193] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0118.193] CloseHandle (hObject=0x210) returned 1 [0118.193] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0118.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.194] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.194] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0118.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0118.194] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0118.194] CloseHandle (hObject=0x210) returned 1 [0118.194] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0118.195] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.196] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.196] CloseHandle (hObject=0x210) returned 1 [0118.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0118.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0118.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0118.198] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0118.198] CloseHandle (hObject=0x210) returned 1 [0118.198] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0118.199] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0118.200] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0118.200] CloseHandle (hObject=0x210) returned 1 [0118.200] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0118.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.201] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.201] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0118.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0118.201] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0118.201] CloseHandle (hObject=0x210) returned 1 [0118.201] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0118.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0118.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0118.202] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0118.202] CloseHandle (hObject=0x210) returned 1 [0118.202] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0118.203] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.203] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.203] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0118.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0118.203] GetLastError () returned 0x1f [0118.203] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0118.203] CloseHandle (hObject=0x210) returned 1 [0118.216] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0118.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0118.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0118.217] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0118.217] CloseHandle (hObject=0x210) returned 1 [0118.217] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0118.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.218] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.218] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0118.218] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0118.219] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0118.219] CloseHandle (hObject=0x210) returned 1 [0118.219] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0118.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0118.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0118.220] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0118.220] CloseHandle (hObject=0x210) returned 1 [0118.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0118.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0118.221] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0118.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0118.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0118.222] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.223] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.223] CloseHandle (hObject=0x210) returned 1 [0118.223] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0118.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0118.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0118.224] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0118.224] CloseHandle (hObject=0x210) returned 1 [0118.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0118.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0118.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0118.225] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0118.225] CloseHandle (hObject=0x210) returned 1 [0118.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0118.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0118.226] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0118.321] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0118.321] CloseHandle (hObject=0x210) returned 1 [0118.321] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0118.322] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.322] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.322] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0118.322] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0118.322] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0118.322] CloseHandle (hObject=0x210) returned 1 [0118.322] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0118.323] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.323] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.323] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0118.323] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0118.323] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0118.324] CloseHandle (hObject=0x210) returned 1 [0118.324] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0118.324] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.324] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0118.325] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0118.325] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0118.325] CloseHandle (hObject=0x210) returned 1 [0118.325] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0118.326] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.326] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.326] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0118.326] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0118.326] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0118.326] CloseHandle (hObject=0x210) returned 1 [0118.326] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0118.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0118.327] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0118.328] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0118.328] CloseHandle (hObject=0x210) returned 1 [0118.328] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0118.329] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.329] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.329] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0118.329] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0118.329] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0118.329] CloseHandle (hObject=0x210) returned 1 [0118.329] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0118.330] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.330] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.330] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0118.330] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0118.331] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0118.331] CloseHandle (hObject=0x210) returned 1 [0118.331] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0118.331] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.331] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.331] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0118.332] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0118.332] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0118.332] CloseHandle (hObject=0x210) returned 1 [0118.332] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0118.333] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.333] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.333] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0118.333] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0118.333] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0118.333] CloseHandle (hObject=0x210) returned 1 [0118.333] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0118.334] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.334] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.334] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0118.334] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0118.334] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0118.335] CloseHandle (hObject=0x210) returned 1 [0118.335] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0118.335] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.335] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.335] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0118.335] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0118.336] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0118.336] CloseHandle (hObject=0x210) returned 1 [0118.336] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0118.337] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.337] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0118.337] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0118.337] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0118.338] CloseHandle (hObject=0x210) returned 1 [0118.338] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0118.338] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.338] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0118.338] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0118.339] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0118.339] CloseHandle (hObject=0x210) returned 1 [0118.339] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0118.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.340] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.340] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0118.340] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0118.340] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0118.340] CloseHandle (hObject=0x210) returned 1 [0118.340] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0118.341] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0118.341] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0118.341] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0118.341] CloseHandle (hObject=0x210) returned 1 [0118.341] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0118.342] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.342] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0118.343] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.343] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.343] CloseHandle (hObject=0x210) returned 1 [0118.343] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0118.344] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.344] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0118.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0118.344] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0118.345] CloseHandle (hObject=0x210) returned 1 [0118.345] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0118.346] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.346] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.346] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0118.346] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.346] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.346] CloseHandle (hObject=0x210) returned 1 [0118.346] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0118.347] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.348] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.348] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0118.348] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0118.348] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0118.348] CloseHandle (hObject=0x210) returned 1 [0118.348] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0118.349] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.349] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.350] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0118.350] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0118.350] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0118.350] CloseHandle (hObject=0x210) returned 1 [0118.350] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0118.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.351] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.351] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0118.351] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.352] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.352] CloseHandle (hObject=0x210) returned 1 [0118.353] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0118.354] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exep.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0118.354] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0118.355] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.355] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.355] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0118.355] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0118.356] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0118.356] CloseHandle (hObject=0x210) returned 1 [0118.356] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0118.357] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exee.exeeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0118.358] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0118.359] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.359] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.359] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x210 [0118.359] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0118.359] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0118.359] CloseHandle (hObject=0x210) returned 1 [0118.361] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0118.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exella.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0118.362] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0118.363] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.364] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.364] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x210 [0118.364] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0118.364] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0118.364] CloseHandle (hObject=0x210) returned 1 [0118.366] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0118.533] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exexp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0118.533] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0118.534] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x210 [0118.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0118.535] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0118.535] CloseHandle (hObject=0x210) returned 1 [0118.537] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fling.exeexeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0118.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="encsvc.exe", cchWideChar=10, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="encsvc.exeexeexeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0118.538] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0118.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.540] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.540] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x210 [0118.540] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0118.540] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0118.540] CloseHandle (hObject=0x210) returned 1 [0118.542] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0118.543] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.543] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.543] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x210 [0118.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0118.543] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0118.544] CloseHandle (hObject=0x210) returned 1 [0118.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0118.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.546] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.546] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x210 [0118.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0118.546] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0118.546] CloseHandle (hObject=0x210) returned 1 [0118.546] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0118.548] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.548] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.548] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x210 [0118.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.548] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.548] CloseHandle (hObject=0x210) returned 1 [0118.549] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0118.550] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.550] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.550] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x210 [0118.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.550] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.551] CloseHandle (hObject=0x210) returned 1 [0118.551] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0118.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.552] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.552] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x210 [0118.552] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0118.553] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0118.553] CloseHandle (hObject=0x210) returned 1 [0118.553] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0118.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x210 [0118.554] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0118.555] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0118.555] CloseHandle (hObject=0x210) returned 1 [0118.555] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0118.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x210 [0118.556] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0118.557] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0118.557] CloseHandle (hObject=0x210) returned 1 [0118.557] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0118.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x210 [0118.559] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0118.559] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0118.559] CloseHandle (hObject=0x210) returned 1 [0118.559] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0118.560] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.560] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.560] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x210 [0118.561] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.561] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.561] CloseHandle (hObject=0x210) returned 1 [0118.561] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0118.562] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x210 [0118.563] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0118.563] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0118.563] CloseHandle (hObject=0x210) returned 1 [0118.563] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0118.564] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x210 [0118.565] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.565] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0118.565] CloseHandle (hObject=0x210) returned 1 [0118.565] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0118.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x210 [0118.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0118.567] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0118.567] CloseHandle (hObject=0x210) returned 1 [0118.568] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0118.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x210 [0118.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0118.569] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0118.569] CloseHandle (hObject=0x210) returned 1 [0118.569] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0118.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x210 [0118.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0118.668] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0118.668] CloseHandle (hObject=0x210) returned 1 [0118.668] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0118.669] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.670] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.670] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x210 [0118.670] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0118.670] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0118.670] CloseHandle (hObject=0x210) returned 1 [0118.670] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0118.671] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.671] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.671] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x210 [0118.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0118.671] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0118.672] CloseHandle (hObject=0x210) returned 1 [0118.672] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0118.673] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.673] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.673] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x210 [0118.673] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0118.673] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0118.673] CloseHandle (hObject=0x210) returned 1 [0118.673] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0118.674] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.674] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.674] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x210 [0118.675] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0118.675] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0118.675] CloseHandle (hObject=0x210) returned 1 [0118.675] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0118.676] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.676] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.676] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x210 [0118.676] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0118.676] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0118.677] CloseHandle (hObject=0x210) returned 1 [0118.677] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0118.678] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.678] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.678] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x210 [0118.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0118.678] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0118.678] CloseHandle (hObject=0x210) returned 1 [0118.678] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0118.679] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.679] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.679] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x210 [0118.679] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0118.680] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0118.680] CloseHandle (hObject=0x210) returned 1 [0118.680] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0118.681] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.681] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.681] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x210 [0118.681] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0118.681] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0118.681] CloseHandle (hObject=0x210) returned 1 [0118.681] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0118.682] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.682] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.682] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x210 [0118.683] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0118.683] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0118.683] CloseHandle (hObject=0x210) returned 1 [0118.683] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0118.684] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.684] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.684] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x210 [0118.684] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0118.684] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0118.685] CloseHandle (hObject=0x210) returned 1 [0118.685] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0118.685] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.686] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.686] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x210 [0118.686] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0118.686] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0118.686] CloseHandle (hObject=0x210) returned 1 [0118.686] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0118.687] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.687] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.687] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x210 [0118.687] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0118.688] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0118.688] CloseHandle (hObject=0x210) returned 1 [0118.688] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0118.689] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.689] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.689] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x210 [0118.689] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0118.689] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0118.689] CloseHandle (hObject=0x210) returned 1 [0118.689] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0118.690] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.690] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.690] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x210 [0118.690] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0118.691] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0118.691] CloseHandle (hObject=0x210) returned 1 [0118.691] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0118.692] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.692] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.692] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x210 [0118.692] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0118.692] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0118.692] CloseHandle (hObject=0x210) returned 1 [0118.692] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0118.693] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.693] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x210 [0118.693] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0118.694] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0118.694] CloseHandle (hObject=0x210) returned 1 [0118.694] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0118.695] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.695] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.695] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x210 [0118.695] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0118.696] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0118.696] CloseHandle (hObject=0x210) returned 1 [0118.696] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0118.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x210 [0118.697] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0118.697] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0118.698] CloseHandle (hObject=0x210) returned 1 [0118.698] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0118.698] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x210 [0118.699] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0118.699] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0118.699] CloseHandle (hObject=0x210) returned 1 [0118.699] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0118.700] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.700] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.700] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x210 [0118.700] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0118.700] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0118.701] CloseHandle (hObject=0x210) returned 1 [0118.701] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0118.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.702] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.702] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x210 [0118.702] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0118.702] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0118.702] CloseHandle (hObject=0x210) returned 1 [0118.702] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0118.703] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.703] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x210 [0118.703] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0118.703] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0118.703] CloseHandle (hObject=0x210) returned 1 [0118.704] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0118.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.704] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x210 [0118.704] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0118.705] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0118.705] CloseHandle (hObject=0x210) returned 1 [0118.705] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0118.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x210 [0118.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0118.706] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0118.706] CloseHandle (hObject=0x210) returned 1 [0118.706] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0118.707] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.707] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.707] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x210 [0118.707] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0118.708] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0118.708] CloseHandle (hObject=0x210) returned 1 [0118.708] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0118.709] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.709] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.709] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x210 [0118.709] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0118.709] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0118.709] CloseHandle (hObject=0x210) returned 1 [0118.709] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0118.710] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x210 [0118.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0118.710] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0118.783] CloseHandle (hObject=0x210) returned 1 [0118.786] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0118.793] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x210 [0118.796] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0118.820] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0118.821] CloseHandle (hObject=0x210) returned 1 [0118.821] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0118.821] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x210 [0118.822] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0118.822] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0118.822] CloseHandle (hObject=0x210) returned 1 [0118.822] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0118.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x210 [0118.823] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0118.823] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0118.823] CloseHandle (hObject=0x210) returned 1 [0118.824] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0118.824] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.824] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x210 [0118.825] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0118.825] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0118.825] CloseHandle (hObject=0x210) returned 1 [0118.825] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0118.826] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.826] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.826] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x210 [0118.826] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0118.826] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0118.826] CloseHandle (hObject=0x210) returned 1 [0118.826] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0118.827] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.827] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.827] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x210 [0118.827] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0118.828] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0118.828] CloseHandle (hObject=0x210) returned 1 [0118.828] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0118.829] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.829] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x210 [0118.829] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0118.829] GetLastError () returned 0x1f [0118.829] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0118.829] CloseHandle (hObject=0x210) returned 1 [0118.841] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.842] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.842] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.842] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x210 [0118.842] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.843] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0118.843] CloseHandle (hObject=0x210) returned 1 [0118.843] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0118.843] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.844] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.844] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x210 [0118.844] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0118.844] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0118.844] CloseHandle (hObject=0x210) returned 1 [0118.844] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.845] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.845] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.845] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x210 [0118.845] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0118.845] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0118.846] CloseHandle (hObject=0x210) returned 1 [0118.846] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0118.846] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.847] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.847] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x210 [0118.847] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0118.847] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0118.847] CloseHandle (hObject=0x210) returned 1 [0118.847] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0118.848] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.848] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.848] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x210 [0118.848] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0118.848] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0118.848] CloseHandle (hObject=0x210) returned 1 [0118.849] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0118.849] CloseHandle (hObject=0x20c) returned 1 [0118.849] Sleep (dwMilliseconds=0x1) [0118.959] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0118.959] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x3597f8, cbMultiByte=7, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="far.exeexeeexelplussvc.exe") returned 7 [0118.960] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exexe", lpUsedDefaultChar=0x0) returned 7 [0118.960] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0118.962] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exee", lpUsedDefaultChar=0x0) returned 12 [0118.962] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0118.972] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.973] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.973] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0118.975] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe\x01\x0c", lpUsedDefaultChar=0x0) returned 7 [0118.975] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.975] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.976] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x210 [0118.976] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0118.976] GetLastError () returned 0x1f [0118.976] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0118.976] CloseHandle (hObject=0x210) returned 1 [0118.987] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.988] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.988] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x210 [0118.989] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0118.989] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0118.989] CloseHandle (hObject=0x210) returned 1 [0118.990] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.990] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.991] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.991] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0118.991] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.991] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.992] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.992] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x210 [0118.992] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0118.992] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0118.992] CloseHandle (hObject=0x210) returned 1 [0118.992] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.993] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.993] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.993] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0118.993] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.994] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.994] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.994] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x210 [0118.994] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0118.995] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0118.995] CloseHandle (hObject=0x210) returned 1 [0118.995] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.996] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.996] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.996] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x210 [0118.996] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0118.996] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0118.997] CloseHandle (hObject=0x210) returned 1 [0118.997] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.997] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.998] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.998] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x210 [0118.998] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0118.998] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0118.998] CloseHandle (hObject=0x210) returned 1 [0118.998] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.999] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0118.999] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0118.999] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x210 [0118.999] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.000] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.000] CloseHandle (hObject=0x210) returned 1 [0119.000] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0119.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.001] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.001] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0119.001] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0119.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0119.002] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.003] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.003] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.003] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x210 [0119.003] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.003] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.003] CloseHandle (hObject=0x210) returned 1 [0119.003] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0119.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0119.004] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.104] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x210 [0119.104] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.105] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.105] CloseHandle (hObject=0x210) returned 1 [0119.105] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x64, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.106] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.106] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.106] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x210 [0119.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.106] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.107] CloseHandle (hObject=0x210) returned 1 [0119.107] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.108] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.108] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x210 [0119.108] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.108] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.108] CloseHandle (hObject=0x210) returned 1 [0119.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x210 [0119.109] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.110] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.110] CloseHandle (hObject=0x210) returned 1 [0119.110] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x210 [0119.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.111] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.112] CloseHandle (hObject=0x210) returned 1 [0119.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x210 [0119.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.113] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.113] CloseHandle (hObject=0x210) returned 1 [0119.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x210 [0119.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.115] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.116] CloseHandle (hObject=0x210) returned 1 [0119.117] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0119.118] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exehost.exee", lpUsedDefaultChar=0x0) returned 7 [0119.118] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.119] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x210 [0119.119] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.120] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.120] CloseHandle (hObject=0x210) returned 1 [0119.121] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0119.122] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exehost.exee", lpUsedDefaultChar=0x0) returned 7 [0119.122] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.123] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.123] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.123] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x210 [0119.123] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.124] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.124] CloseHandle (hObject=0x210) returned 1 [0119.125] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0119.126] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exehost.exee", lpUsedDefaultChar=0x0) returned 7 [0119.126] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.127] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.127] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.127] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x210 [0119.127] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.127] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.128] CloseHandle (hObject=0x210) returned 1 [0119.129] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0119.131] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exehost.exee", lpUsedDefaultChar=0x0) returned 7 [0119.131] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.132] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.132] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.132] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x210 [0119.132] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.132] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.133] CloseHandle (hObject=0x210) returned 1 [0119.135] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0119.136] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exehost.exee", lpUsedDefaultChar=0x0) returned 7 [0119.136] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0119.137] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.137] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x210 [0119.137] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0119.137] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0119.138] CloseHandle (hObject=0x210) returned 1 [0119.139] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exee", lpUsedDefaultChar=0x0) returned 11 [0119.140] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.141] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.141] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.141] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x210 [0119.141] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0119.142] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0119.142] CloseHandle (hObject=0x210) returned 1 [0119.142] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0119.143] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.143] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.143] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x210 [0119.143] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0119.144] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0119.144] CloseHandle (hObject=0x210) returned 1 [0119.144] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.145] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.145] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.145] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x210 [0119.145] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.240] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.241] CloseHandle (hObject=0x210) returned 1 [0119.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0119.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x210 [0119.242] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0119.242] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0119.242] CloseHandle (hObject=0x210) returned 1 [0119.242] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0119.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x210 [0119.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0119.244] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0119.244] CloseHandle (hObject=0x210) returned 1 [0119.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0119.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.245] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.245] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x210 [0119.245] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0119.246] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0119.246] CloseHandle (hObject=0x210) returned 1 [0119.246] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0119.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x210 [0119.247] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0119.247] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0119.247] CloseHandle (hObject=0x210) returned 1 [0119.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0119.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x210 [0119.248] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0119.249] GetLastError () returned 0x1f [0119.249] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0119.249] CloseHandle (hObject=0x210) returned 1 [0119.265] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0119.266] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x210 [0119.266] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0119.267] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0119.267] CloseHandle (hObject=0x210) returned 1 [0119.267] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0119.268] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.268] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.268] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x210 [0119.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0119.268] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0119.269] CloseHandle (hObject=0x210) returned 1 [0119.269] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0119.269] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.270] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.270] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x210 [0119.270] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0119.270] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0119.270] CloseHandle (hObject=0x210) returned 1 [0119.270] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0119.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.271] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.271] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0119.271] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0119.272] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.272] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.272] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0119.272] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.273] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.273] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.273] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x210 [0119.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.273] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0119.273] CloseHandle (hObject=0x210) returned 1 [0119.274] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0119.274] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.274] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.274] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x210 [0119.275] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0119.275] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0119.275] CloseHandle (hObject=0x210) returned 1 [0119.275] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0119.276] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.276] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.276] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x210 [0119.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0119.276] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0119.277] CloseHandle (hObject=0x210) returned 1 [0119.277] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0119.277] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x210 [0119.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0119.278] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0119.278] CloseHandle (hObject=0x210) returned 1 [0119.278] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0119.279] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.279] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.279] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x210 [0119.279] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0119.280] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0119.280] CloseHandle (hObject=0x210) returned 1 [0119.280] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0119.281] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.281] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.281] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x210 [0119.281] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0119.281] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0119.281] CloseHandle (hObject=0x210) returned 1 [0119.282] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0119.282] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.282] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.282] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x210 [0119.283] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0119.283] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0119.283] CloseHandle (hObject=0x210) returned 1 [0119.283] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0119.284] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.284] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.284] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x210 [0119.284] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0119.284] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0119.285] CloseHandle (hObject=0x210) returned 1 [0119.285] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0119.286] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.286] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.286] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x210 [0119.384] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0119.384] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0119.385] CloseHandle (hObject=0x210) returned 1 [0119.507] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0119.507] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.507] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.507] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x210 [0119.508] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0119.508] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0119.508] CloseHandle (hObject=0x210) returned 1 [0119.508] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0119.509] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.509] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.509] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x210 [0119.509] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0119.509] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0119.509] CloseHandle (hObject=0x210) returned 1 [0119.509] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0119.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x210 [0119.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0119.510] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0119.511] CloseHandle (hObject=0x210) returned 1 [0119.511] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0119.511] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.511] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.511] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x210 [0119.511] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0119.512] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0119.512] CloseHandle (hObject=0x210) returned 1 [0119.512] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0119.512] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.513] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.513] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x210 [0119.513] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0119.513] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0119.513] CloseHandle (hObject=0x210) returned 1 [0119.513] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0119.514] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.514] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.514] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x210 [0119.514] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0119.514] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0119.514] CloseHandle (hObject=0x210) returned 1 [0119.514] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0119.515] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.515] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.515] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x210 [0119.515] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0119.516] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0119.516] CloseHandle (hObject=0x210) returned 1 [0119.516] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0119.517] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.517] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.517] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x210 [0119.517] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0119.517] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0119.517] CloseHandle (hObject=0x210) returned 1 [0119.517] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0119.518] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.518] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.518] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x210 [0119.518] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0119.518] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0119.519] CloseHandle (hObject=0x210) returned 1 [0119.519] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0119.519] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.519] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.519] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x210 [0119.520] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0119.520] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0119.520] CloseHandle (hObject=0x210) returned 1 [0119.520] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0119.522] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.522] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.522] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x210 [0119.522] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.522] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.522] CloseHandle (hObject=0x210) returned 1 [0119.522] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0119.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x210 [0119.523] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0119.524] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0119.524] CloseHandle (hObject=0x210) returned 1 [0119.524] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0119.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x210 [0119.525] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.525] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.525] CloseHandle (hObject=0x210) returned 1 [0119.526] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0119.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.527] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.527] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x210 [0119.527] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0119.527] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0119.527] CloseHandle (hObject=0x210) returned 1 [0119.527] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0119.528] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.528] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.529] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x210 [0119.529] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0119.529] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0119.529] CloseHandle (hObject=0x210) returned 1 [0119.529] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0119.530] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.530] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.530] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x210 [0119.530] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.530] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.531] CloseHandle (hObject=0x210) returned 1 [0119.531] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0119.532] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.532] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0119.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0119.532] QueryFullProcessImageNameW (in: hProcess=0x210, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\far.exe", lpdwSize=0x10bf57c) returned 1 [0119.533] CloseHandle (hObject=0x210) returned 1 [0119.533] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xff8) returned 0x210 [0119.533] TerminateProcess (hProcess=0x210, uExitCode=0x0) returned 1 [0119.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0119.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x214 [0119.545] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0119.545] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0119.545] CloseHandle (hObject=0x214) returned 1 [0119.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 13 [0119.548] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeezilla.exet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.548] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0119.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x214 [0119.549] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0119.550] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0119.550] CloseHandle (hObject=0x214) returned 1 [0119.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0119.825] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeshfxp.exeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.825] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0119.826] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.827] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.827] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x214 [0119.827] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0119.827] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0119.827] CloseHandle (hObject=0x214) returned 1 [0119.828] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fling.exeexeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0119.829] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeng.exeexeet.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.829] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0119.830] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.830] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x214 [0119.831] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0119.831] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0119.831] CloseHandle (hObject=0x214) returned 1 [0119.833] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="foxmailincmail.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="foxmailincmail.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0119.834] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exemailincmail.exed.exe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.834] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0119.835] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.835] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.835] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x214 [0119.835] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0119.835] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0119.836] CloseHandle (hObject=0x214) returned 1 [0119.838] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=20, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gmailnotifierpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 20 [0119.838] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeilnotifierpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.838] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0119.839] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.840] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.840] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x214 [0119.840] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0119.840] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0119.840] CloseHandle (hObject=0x214) returned 1 [0119.841] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0119.842] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.842] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.842] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x214 [0119.842] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.842] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.842] CloseHandle (hObject=0x214) returned 1 [0119.843] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0119.844] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.844] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.844] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x214 [0119.844] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.844] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.845] CloseHandle (hObject=0x214) returned 1 [0119.845] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0119.846] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.846] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.846] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x214 [0119.846] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0119.846] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0119.846] CloseHandle (hObject=0x214) returned 1 [0119.846] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0119.847] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.847] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.847] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x214 [0119.847] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0119.848] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0119.848] CloseHandle (hObject=0x214) returned 1 [0119.848] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0119.850] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.850] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.850] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x214 [0119.850] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0119.851] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0119.851] CloseHandle (hObject=0x214) returned 1 [0119.851] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0119.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.852] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.852] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x214 [0119.852] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0119.852] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0119.853] CloseHandle (hObject=0x214) returned 1 [0119.853] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0119.854] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x214 [0119.854] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.854] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.854] CloseHandle (hObject=0x214) returned 1 [0119.854] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0119.855] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.855] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.855] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x214 [0119.855] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0119.855] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0119.856] CloseHandle (hObject=0x214) returned 1 [0119.856] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0119.857] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.857] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.857] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x214 [0119.857] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.857] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0119.857] CloseHandle (hObject=0x214) returned 1 [0119.857] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0119.858] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.858] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.858] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x214 [0119.859] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0119.859] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0119.859] CloseHandle (hObject=0x214) returned 1 [0119.859] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0119.860] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.860] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.860] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x214 [0119.860] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0119.860] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0119.860] CloseHandle (hObject=0x214) returned 1 [0119.861] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0119.862] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.862] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.862] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x214 [0119.862] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0119.862] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0119.862] CloseHandle (hObject=0x214) returned 1 [0119.862] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0119.863] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.863] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.863] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x214 [0119.863] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0119.864] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0119.864] CloseHandle (hObject=0x214) returned 1 [0119.925] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0119.928] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.929] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.929] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x214 [0119.929] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0119.930] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0119.931] CloseHandle (hObject=0x214) returned 1 [0119.933] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0119.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exetsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.934] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0119.936] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.936] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.936] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x214 [0119.936] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0119.936] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0119.937] CloseHandle (hObject=0x214) returned 1 [0119.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0119.939] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exescp.exexeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.939] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0119.940] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.941] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.941] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x214 [0119.941] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0119.941] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0119.941] CloseHandle (hObject=0x214) returned 1 [0119.945] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 18 [0119.946] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeoomessenger.exexeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.946] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0119.947] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.947] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.947] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x214 [0119.947] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0119.948] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0119.948] CloseHandle (hObject=0x214) returned 1 [0119.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 17 [0119.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeive-charge.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.951] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0119.952] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.953] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.953] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x214 [0119.953] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0119.953] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0119.953] CloseHandle (hObject=0x214) returned 1 [0119.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0119.956] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exeupos.exege.exeexeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0119.956] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0119.957] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.957] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.957] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x214 [0119.957] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0119.958] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0119.958] CloseHandle (hObject=0x214) returned 1 [0119.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0119.961] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.961] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.961] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x214 [0119.961] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0119.961] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0119.962] CloseHandle (hObject=0x214) returned 1 [0119.962] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0119.963] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0119.963] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0119.963] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x214 [0119.964] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0119.964] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0119.964] CloseHandle (hObject=0x214) returned 1 [0119.964] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0120.040] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.040] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.040] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x214 [0120.040] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0120.040] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0120.040] CloseHandle (hObject=0x214) returned 1 [0120.040] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0120.041] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.041] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.041] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x214 [0120.042] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0120.042] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0120.042] CloseHandle (hObject=0x214) returned 1 [0120.042] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0120.043] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.043] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.043] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x214 [0120.043] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0120.043] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0120.043] CloseHandle (hObject=0x214) returned 1 [0120.043] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0120.044] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.044] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.044] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x214 [0120.045] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0120.045] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0120.045] CloseHandle (hObject=0x214) returned 1 [0120.045] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0120.046] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.046] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.046] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x214 [0120.046] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0120.046] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0120.046] CloseHandle (hObject=0x214) returned 1 [0120.046] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0120.047] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.047] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.047] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x214 [0120.047] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0120.048] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0120.048] CloseHandle (hObject=0x214) returned 1 [0120.048] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0120.049] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.049] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.049] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x214 [0120.049] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0120.049] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0120.049] CloseHandle (hObject=0x214) returned 1 [0120.049] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0120.050] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.050] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.050] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x214 [0120.050] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0120.051] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0120.051] CloseHandle (hObject=0x214) returned 1 [0120.051] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0120.052] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.052] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.052] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x214 [0120.052] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0120.052] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0120.052] CloseHandle (hObject=0x214) returned 1 [0120.053] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0120.054] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.054] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.054] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x214 [0120.054] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0120.054] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0120.055] CloseHandle (hObject=0x214) returned 1 [0120.055] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0120.056] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.056] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.056] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x214 [0120.056] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0120.056] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0120.056] CloseHandle (hObject=0x214) returned 1 [0120.056] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0120.057] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.057] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.057] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x214 [0120.057] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0120.057] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0120.058] CloseHandle (hObject=0x214) returned 1 [0120.058] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0120.058] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.058] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.058] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x214 [0120.059] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0120.059] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0120.059] CloseHandle (hObject=0x214) returned 1 [0120.059] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0120.060] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.060] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.060] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x214 [0120.060] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0120.060] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0120.060] CloseHandle (hObject=0x214) returned 1 [0120.060] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0120.061] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.061] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.061] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x214 [0120.061] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0120.061] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0120.062] CloseHandle (hObject=0x214) returned 1 [0120.062] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0120.062] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.063] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.063] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x214 [0120.063] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0120.063] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UsoClient.exe", lpdwSize=0x10bf57c) returned 1 [0120.063] CloseHandle (hObject=0x214) returned 1 [0120.063] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0120.064] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.064] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.064] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x214 [0120.064] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0120.064] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0120.064] CloseHandle (hObject=0x214) returned 1 [0120.064] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0120.065] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.065] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.065] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x214 [0120.065] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0120.066] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0120.066] CloseHandle (hObject=0x214) returned 1 [0120.066] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0120.067] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.067] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.067] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x214 [0120.067] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0120.068] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0120.068] CloseHandle (hObject=0x214) returned 1 [0120.068] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0120.070] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.070] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.070] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x214 [0120.070] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0120.070] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0120.070] CloseHandle (hObject=0x214) returned 1 [0120.070] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0120.071] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.071] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.071] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x214 [0120.071] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0120.072] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0120.072] CloseHandle (hObject=0x214) returned 1 [0120.072] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0120.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x214 [0120.302] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0120.303] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0120.303] CloseHandle (hObject=0x214) returned 1 [0120.303] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0120.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.304] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.304] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x214 [0120.304] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0120.305] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0120.305] CloseHandle (hObject=0x214) returned 1 [0120.305] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0120.306] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.306] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.306] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x214 [0120.306] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0120.307] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0120.307] CloseHandle (hObject=0x214) returned 1 [0120.307] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0120.308] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.308] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.308] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x214 [0120.308] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0120.308] GetLastError () returned 0x1f [0120.308] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 0 [0120.308] CloseHandle (hObject=0x214) returned 1 [0120.323] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.324] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.324] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.325] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x214 [0120.325] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.325] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.326] CloseHandle (hObject=0x214) returned 1 [0120.326] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0120.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.327] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.327] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x214 [0120.327] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0120.327] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0120.327] CloseHandle (hObject=0x214) returned 1 [0120.327] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0120.328] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.328] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.329] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x214 [0120.329] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0120.329] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0120.329] CloseHandle (hObject=0x214) returned 1 [0120.329] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0120.330] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.330] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.330] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x214 [0120.330] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0120.331] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0120.331] CloseHandle (hObject=0x214) returned 1 [0120.331] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0120.332] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.332] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.332] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x214 [0120.332] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0120.332] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0120.333] CloseHandle (hObject=0x214) returned 1 [0120.333] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x70e8c, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0120.333] CloseHandle (hObject=0x20c) returned 1 [0120.334] Sleep (dwMilliseconds=0x1) [0120.393] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0120.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a708, cbMultiByte=17, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="firefoxconfig.exeċssvc.exe") returned 17 [0120.395] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="firefoxconfig.exe", cchWideChar=17, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="firefoxconfig.exeos.exe", lpUsedDefaultChar=0x0) returned 17 [0120.395] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0120.397] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeonfig.exeos.exe", lpUsedDefaultChar=0x0) returned 12 [0120.397] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0120.408] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0120.409] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.409] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.409] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0120.411] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="firefoxconfig.exe", cchWideChar=17, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="firefoxconfig.exeH+\x01\x0cù\x06", lpUsedDefaultChar=0x0) returned 17 [0120.411] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0120.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x214 [0120.412] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0120.412] GetLastError () returned 0x1f [0120.412] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0120.413] CloseHandle (hObject=0x214) returned 1 [0120.422] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0120.423] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.423] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.423] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x214 [0120.423] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0120.423] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0120.424] CloseHandle (hObject=0x214) returned 1 [0120.424] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.424] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.425] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.425] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0120.425] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0120.426] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.426] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.426] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x214 [0120.426] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0120.426] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0120.426] CloseHandle (hObject=0x214) returned 1 [0120.426] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0120.427] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.427] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.427] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0120.427] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0120.428] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.428] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x214 [0120.429] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0120.429] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0120.429] CloseHandle (hObject=0x214) returned 1 [0120.429] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0120.430] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.430] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.430] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x214 [0120.430] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0120.431] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0120.431] CloseHandle (hObject=0x214) returned 1 [0120.431] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0120.432] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.432] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.432] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x214 [0120.432] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0120.432] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62594, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0120.432] CloseHandle (hObject=0x214) returned 1 [0120.432] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.433] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.433] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.433] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x214 [0120.434] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.434] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.434] CloseHandle (hObject=0x214) returned 1 [0120.434] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0120.576] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.576] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.576] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0120.576] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0120.577] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.577] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.577] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0120.578] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x214 [0120.579] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.579] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.579] CloseHandle (hObject=0x214) returned 1 [0120.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0120.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0120.580] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.581] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x214 [0120.581] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.582] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.582] CloseHandle (hObject=0x214) returned 1 [0120.582] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x65, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.583] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.583] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.583] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x214 [0120.583] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.583] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.584] CloseHandle (hObject=0x214) returned 1 [0120.584] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.584] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.585] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.585] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x214 [0120.585] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.585] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.585] CloseHandle (hObject=0x214) returned 1 [0120.585] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.586] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.586] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x214 [0120.586] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.587] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.587] CloseHandle (hObject=0x214) returned 1 [0120.587] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.588] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.588] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.588] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x214 [0120.588] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.588] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.589] CloseHandle (hObject=0x214) returned 1 [0120.589] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.589] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.590] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.590] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x214 [0120.590] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.590] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.590] CloseHandle (hObject=0x214) returned 1 [0120.590] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.592] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.592] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.592] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x214 [0120.592] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.592] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.593] CloseHandle (hObject=0x214) returned 1 [0120.593] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.594] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.594] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x214 [0120.594] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.594] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.594] CloseHandle (hObject=0x214) returned 1 [0120.594] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.595] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.595] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.595] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x214 [0120.595] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.596] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.596] CloseHandle (hObject=0x214) returned 1 [0120.596] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.597] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.597] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.597] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x214 [0120.597] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.597] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.598] CloseHandle (hObject=0x214) returned 1 [0120.598] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.598] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.599] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.599] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x214 [0120.599] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.599] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.599] CloseHandle (hObject=0x214) returned 1 [0120.599] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0120.600] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.600] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.600] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x214 [0120.600] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0120.601] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0120.601] CloseHandle (hObject=0x214) returned 1 [0120.601] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0120.602] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.602] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.602] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x214 [0120.602] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0120.602] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0120.603] CloseHandle (hObject=0x214) returned 1 [0120.603] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0120.603] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.604] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.604] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x214 [0120.604] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0120.604] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0120.604] CloseHandle (hObject=0x214) returned 1 [0120.604] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0120.605] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.605] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.605] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x214 [0120.605] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.606] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0120.606] CloseHandle (hObject=0x214) returned 1 [0120.606] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0120.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.607] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.607] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x214 [0120.607] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0120.608] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0120.608] CloseHandle (hObject=0x214) returned 1 [0120.608] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x36, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0120.609] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.609] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.609] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x214 [0120.609] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0120.609] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0120.609] CloseHandle (hObject=0x214) returned 1 [0120.610] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0120.610] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.611] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x214 [0120.611] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0120.611] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0120.611] CloseHandle (hObject=0x214) returned 1 [0120.611] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0120.612] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.612] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.612] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x214 [0120.612] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0120.613] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0120.613] CloseHandle (hObject=0x214) returned 1 [0120.613] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0120.614] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0120.614] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0120.614] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x214 [0120.614] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0120.614] GetLastError () returned 0x1f [0120.614] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0120.614] CloseHandle (hObject=0x214) returned 1 [0121.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0121.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x214 [0121.227] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0121.227] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0121.227] CloseHandle (hObject=0x214) returned 1 [0121.227] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0121.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.228] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x214 [0121.228] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0121.229] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0121.229] CloseHandle (hObject=0x214) returned 1 [0121.229] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0121.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x214 [0121.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0121.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0121.231] CloseHandle (hObject=0x214) returned 1 [0121.231] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0121.239] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.239] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.239] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0121.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0121.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0121.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0121.241] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.241] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.241] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x214 [0121.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0121.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0121.242] CloseHandle (hObject=0x214) returned 1 [0121.242] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0121.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x214 [0121.243] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0121.243] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0121.244] CloseHandle (hObject=0x214) returned 1 [0121.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0121.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.245] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.245] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x214 [0121.245] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0121.245] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0121.245] CloseHandle (hObject=0x214) returned 1 [0121.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0121.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x214 [0121.246] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0121.247] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0121.247] CloseHandle (hObject=0x214) returned 1 [0121.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0121.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x214 [0121.248] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0121.248] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0121.249] CloseHandle (hObject=0x214) returned 1 [0121.249] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0121.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.250] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x214 [0121.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0121.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0121.250] CloseHandle (hObject=0x214) returned 1 [0121.250] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0121.251] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x214 [0121.251] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0121.252] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0121.252] CloseHandle (hObject=0x214) returned 1 [0121.252] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0121.253] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x214 [0121.253] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0121.253] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0121.253] CloseHandle (hObject=0x214) returned 1 [0121.254] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0121.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.255] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x214 [0121.255] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0121.255] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0121.255] CloseHandle (hObject=0x214) returned 1 [0121.255] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0121.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.256] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.256] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x214 [0121.256] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0121.256] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0121.257] CloseHandle (hObject=0x214) returned 1 [0121.257] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0121.258] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x214 [0121.258] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0121.258] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0121.259] CloseHandle (hObject=0x214) returned 1 [0121.259] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0121.260] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.260] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x214 [0121.260] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0121.260] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0121.260] CloseHandle (hObject=0x214) returned 1 [0121.261] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0121.261] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.261] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.261] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x214 [0121.262] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0121.262] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0121.262] CloseHandle (hObject=0x214) returned 1 [0121.262] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0121.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x214 [0121.379] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0121.379] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0121.379] CloseHandle (hObject=0x214) returned 1 [0121.379] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0121.380] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.380] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.380] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x214 [0121.380] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0121.381] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0121.381] CloseHandle (hObject=0x214) returned 1 [0121.381] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0121.382] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.382] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.382] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x214 [0121.382] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0121.382] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0121.382] CloseHandle (hObject=0x214) returned 1 [0121.382] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0121.383] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.383] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.383] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x214 [0121.383] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0121.384] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0121.384] CloseHandle (hObject=0x214) returned 1 [0121.384] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0121.385] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.385] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.385] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x214 [0121.385] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0121.385] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0121.385] CloseHandle (hObject=0x214) returned 1 [0121.385] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0121.386] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.386] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.386] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x214 [0121.386] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0121.387] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0121.387] CloseHandle (hObject=0x214) returned 1 [0121.387] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0121.388] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.389] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.389] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x214 [0121.389] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.389] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.389] CloseHandle (hObject=0x214) returned 1 [0121.389] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0121.390] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.391] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.391] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x214 [0121.391] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0121.391] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0121.391] CloseHandle (hObject=0x214) returned 1 [0121.391] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0121.392] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.393] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.393] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x214 [0121.393] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.393] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.393] CloseHandle (hObject=0x214) returned 1 [0121.393] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0121.394] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.395] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.395] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x214 [0121.395] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0121.395] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0121.395] CloseHandle (hObject=0x214) returned 1 [0121.395] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0121.397] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.397] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.397] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x214 [0121.397] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0121.397] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0121.397] CloseHandle (hObject=0x214) returned 1 [0121.397] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0121.399] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.399] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.399] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x214 [0121.399] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.399] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.399] CloseHandle (hObject=0x214) returned 1 [0121.400] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0121.401] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.401] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.401] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x214 [0121.401] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0121.401] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0121.402] CloseHandle (hObject=0x214) returned 1 [0121.402] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0121.403] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.403] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.403] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x214 [0121.403] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0121.404] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0121.404] CloseHandle (hObject=0x214) returned 1 [0121.404] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0121.405] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.405] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.406] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x214 [0121.406] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0121.406] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0121.406] CloseHandle (hObject=0x214) returned 1 [0121.406] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0121.407] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.408] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.408] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x214 [0121.408] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0121.408] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0121.408] CloseHandle (hObject=0x214) returned 1 [0121.408] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0121.410] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.410] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.410] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x214 [0121.410] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0121.410] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0121.410] CloseHandle (hObject=0x214) returned 1 [0121.410] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0121.412] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.412] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.412] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x214 [0121.412] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0121.412] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0121.412] CloseHandle (hObject=0x214) returned 1 [0121.413] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0121.414] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.414] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.414] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x214 [0121.414] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.414] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.415] CloseHandle (hObject=0x214) returned 1 [0121.415] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0121.416] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.416] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x214 [0121.416] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.416] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.417] CloseHandle (hObject=0x214) returned 1 [0121.417] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0121.418] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.418] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.418] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x214 [0121.418] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0121.419] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0121.419] CloseHandle (hObject=0x214) returned 1 [0121.491] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0121.493] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.493] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.493] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x214 [0121.493] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0121.493] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0121.494] CloseHandle (hObject=0x214) returned 1 [0121.494] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0121.495] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.495] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.495] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x214 [0121.495] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0121.495] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0121.496] CloseHandle (hObject=0x214) returned 1 [0121.496] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0121.497] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.497] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.497] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x214 [0121.497] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0121.498] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0121.498] CloseHandle (hObject=0x214) returned 1 [0121.498] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0121.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x214 [0121.500] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.500] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.500] CloseHandle (hObject=0x214) returned 1 [0121.500] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0121.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.502] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x214 [0121.502] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0121.502] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0121.502] CloseHandle (hObject=0x214) returned 1 [0121.502] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0121.503] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.504] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x214 [0121.504] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.504] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0121.504] CloseHandle (hObject=0x214) returned 1 [0121.504] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0121.505] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.506] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.506] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x214 [0121.506] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0121.506] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0121.506] CloseHandle (hObject=0x214) returned 1 [0121.506] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0121.508] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.508] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.508] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x214 [0121.508] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0121.508] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0121.508] CloseHandle (hObject=0x214) returned 1 [0121.508] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0121.510] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.510] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.510] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x214 [0121.510] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0121.510] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0121.510] CloseHandle (hObject=0x214) returned 1 [0121.510] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0121.511] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.512] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.512] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x214 [0121.512] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0121.512] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0121.512] CloseHandle (hObject=0x214) returned 1 [0121.512] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0121.514] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.514] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.514] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x214 [0121.514] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0121.514] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0121.515] CloseHandle (hObject=0x214) returned 1 [0121.515] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0121.516] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.516] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.516] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x214 [0121.516] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0121.516] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0121.518] CloseHandle (hObject=0x214) returned 1 [0121.518] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0121.519] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.519] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.519] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x214 [0121.519] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0121.519] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0121.520] CloseHandle (hObject=0x214) returned 1 [0121.520] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0121.521] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.521] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.521] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x214 [0121.521] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0121.521] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0121.522] CloseHandle (hObject=0x214) returned 1 [0121.522] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0121.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x214 [0121.523] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0121.523] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0121.524] CloseHandle (hObject=0x214) returned 1 [0121.524] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0121.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x214 [0121.525] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0121.525] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0121.526] CloseHandle (hObject=0x214) returned 1 [0121.526] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0121.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0121.527] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0121.527] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x214 [0121.527] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0121.527] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0121.528] CloseHandle (hObject=0x214) returned 1 [0121.528] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0122.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x214 [0122.195] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0122.196] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0122.196] CloseHandle (hObject=0x214) returned 1 [0122.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0122.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x214 [0122.197] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0122.198] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0122.198] CloseHandle (hObject=0x214) returned 1 [0122.198] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0122.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x214 [0122.200] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0122.200] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0122.200] CloseHandle (hObject=0x214) returned 1 [0122.200] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0122.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.205] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.205] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x214 [0122.205] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0122.205] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0122.205] CloseHandle (hObject=0x214) returned 1 [0122.205] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0122.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.207] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.207] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x214 [0122.207] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0122.207] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0122.207] CloseHandle (hObject=0x214) returned 1 [0122.207] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0122.208] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x214 [0122.209] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0122.209] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0122.209] CloseHandle (hObject=0x214) returned 1 [0122.209] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0122.210] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.210] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.210] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x214 [0122.211] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0122.211] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0122.211] CloseHandle (hObject=0x214) returned 1 [0122.211] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0122.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.212] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.212] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x214 [0122.212] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0122.213] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0122.213] CloseHandle (hObject=0x214) returned 1 [0122.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0122.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x214 [0122.214] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0122.215] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0122.215] CloseHandle (hObject=0x214) returned 1 [0122.215] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0122.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x214 [0122.222] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0122.223] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0122.223] CloseHandle (hObject=0x214) returned 1 [0122.223] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0122.224] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x214 [0122.224] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0122.225] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0122.225] CloseHandle (hObject=0x214) returned 1 [0122.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0122.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x214 [0122.226] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0122.226] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0122.227] CloseHandle (hObject=0x214) returned 1 [0122.227] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0122.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.228] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x214 [0122.228] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0122.228] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0122.229] CloseHandle (hObject=0x214) returned 1 [0122.229] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0122.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x214 [0122.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0122.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0122.231] CloseHandle (hObject=0x214) returned 1 [0122.231] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0122.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x214 [0122.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0122.239] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0122.239] CloseHandle (hObject=0x214) returned 1 [0122.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0122.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x214 [0122.240] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0122.241] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0122.241] CloseHandle (hObject=0x214) returned 1 [0122.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0122.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1390) returned 0x214 [0122.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 0 [0122.242] GetLastError () returned 0x1f [0122.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 0 [0122.243] CloseHandle (hObject=0x214) returned 1 [0122.443] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0122.444] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.444] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.444] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x214 [0122.444] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0122.444] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0122.445] CloseHandle (hObject=0x214) returned 1 [0122.445] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0122.446] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.446] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.446] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x214 [0122.446] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0122.446] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0122.446] CloseHandle (hObject=0x214) returned 1 [0122.447] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0122.448] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x214 [0122.448] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0122.448] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0122.448] CloseHandle (hObject=0x214) returned 1 [0122.448] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0122.449] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.449] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x214 [0122.450] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0122.450] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0122.450] CloseHandle (hObject=0x214) returned 1 [0122.450] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0122.491] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.491] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.491] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x214 [0122.491] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0122.491] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0122.492] CloseHandle (hObject=0x214) returned 1 [0122.492] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0122.493] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.493] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.493] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x214 [0122.493] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0122.493] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0122.493] CloseHandle (hObject=0x214) returned 1 [0122.493] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0122.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x214 [0122.495] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0122.495] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0122.495] CloseHandle (hObject=0x214) returned 1 [0122.495] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0122.496] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.496] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.496] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x214 [0122.496] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0122.496] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0122.497] CloseHandle (hObject=0x214) returned 1 [0122.497] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0122.499] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.499] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.499] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1170) returned 0x0 [0122.499] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.500] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.500] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.500] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x214 [0122.500] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.500] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.500] CloseHandle (hObject=0x214) returned 1 [0122.500] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1224, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0122.501] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.501] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.502] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1224) returned 0x0 [0122.502] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0122.502] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.503] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.503] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x214 [0122.503] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0122.503] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0122.503] CloseHandle (hObject=0x214) returned 1 [0122.503] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0122.504] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.504] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.504] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x214 [0122.504] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0122.505] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0122.505] CloseHandle (hObject=0x214) returned 1 [0122.505] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0122.506] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.506] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.506] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x214 [0122.506] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0122.506] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0122.506] CloseHandle (hObject=0x214) returned 1 [0122.506] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0122.507] CloseHandle (hObject=0x20c) returned 1 [0122.507] Sleep (dwMilliseconds=0x1) [0122.596] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0122.596] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a728, cbMultiByte=12, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="infopath.exeg.exeċssvc.exe") returned 12 [0122.597] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exe", lpUsedDefaultChar=0x0) returned 12 [0122.597] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0122.598] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0122.598] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0122.607] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0122.608] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.608] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.608] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0122.609] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exe\x0c", lpUsedDefaultChar=0x0) returned 12 [0122.609] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0122.610] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.610] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.610] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x214 [0122.610] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0122.610] GetLastError () returned 0x1f [0122.610] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 0 [0122.610] CloseHandle (hObject=0x214) returned 1 [0122.620] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0122.621] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.621] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.621] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x214 [0122.621] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0122.621] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62594, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0122.622] CloseHandle (hObject=0x214) returned 1 [0122.622] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0122.623] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.623] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.623] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0122.623] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0122.624] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.624] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.624] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x214 [0122.624] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0122.624] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0122.624] CloseHandle (hObject=0x214) returned 1 [0122.624] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0122.625] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.625] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.625] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0122.625] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0122.626] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.626] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.626] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x214 [0122.626] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0122.626] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0122.626] CloseHandle (hObject=0x214) returned 1 [0122.626] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0122.627] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.627] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.627] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x214 [0122.627] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0122.627] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0122.627] CloseHandle (hObject=0x214) returned 1 [0122.628] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0122.628] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.628] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.628] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x214 [0122.628] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0122.628] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0122.629] CloseHandle (hObject=0x214) returned 1 [0122.629] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.629] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.629] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.629] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x214 [0122.630] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.630] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.630] CloseHandle (hObject=0x214) returned 1 [0122.630] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0122.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0122.631] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0122.631] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0122.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.632] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.632] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.632] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x214 [0122.632] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.633] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.633] CloseHandle (hObject=0x214) returned 1 [0122.633] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0122.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0122.634] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x214 [0122.634] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.634] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.635] CloseHandle (hObject=0x214) returned 1 [0122.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.635] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.636] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x214 [0122.636] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.636] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.636] CloseHandle (hObject=0x214) returned 1 [0122.636] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.637] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.637] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x214 [0122.637] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.637] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.638] CloseHandle (hObject=0x214) returned 1 [0122.755] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.756] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.756] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x214 [0122.756] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.757] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.757] CloseHandle (hObject=0x214) returned 1 [0122.757] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.758] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.758] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.758] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x214 [0122.758] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.758] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.759] CloseHandle (hObject=0x214) returned 1 [0122.759] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.759] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.760] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.760] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x214 [0122.760] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.760] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.760] CloseHandle (hObject=0x214) returned 1 [0122.760] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.761] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.761] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.761] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x214 [0122.761] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.762] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.762] CloseHandle (hObject=0x214) returned 1 [0122.762] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.788] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.788] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.788] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x214 [0122.788] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.788] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.789] CloseHandle (hObject=0x214) returned 1 [0122.789] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.790] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.790] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x214 [0122.790] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.790] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.790] CloseHandle (hObject=0x214) returned 1 [0122.791] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.791] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.791] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x214 [0122.792] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.792] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.792] CloseHandle (hObject=0x214) returned 1 [0122.792] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.793] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.793] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.793] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x214 [0122.793] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.794] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.794] CloseHandle (hObject=0x214) returned 1 [0122.794] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0122.809] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.809] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.809] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x214 [0122.809] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0122.814] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0122.814] CloseHandle (hObject=0x214) returned 1 [0122.814] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0122.815] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.815] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.815] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x214 [0122.815] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0122.816] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0122.816] CloseHandle (hObject=0x214) returned 1 [0122.816] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0122.817] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.817] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.817] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x214 [0122.817] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0122.817] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0122.818] CloseHandle (hObject=0x214) returned 1 [0122.818] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.819] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.819] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x214 [0122.819] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.819] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0122.819] CloseHandle (hObject=0x214) returned 1 [0122.820] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0122.820] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.821] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.821] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x214 [0122.821] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0122.821] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0122.821] CloseHandle (hObject=0x214) returned 1 [0122.821] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0122.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x214 [0122.822] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0122.823] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62594, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0122.823] CloseHandle (hObject=0x214) returned 1 [0122.823] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0122.824] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.824] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x214 [0122.824] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0122.824] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0122.825] CloseHandle (hObject=0x214) returned 1 [0122.825] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0122.830] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.830] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x214 [0122.830] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0122.830] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0122.830] CloseHandle (hObject=0x214) returned 1 [0122.831] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0122.831] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0122.832] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0122.832] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x214 [0122.832] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0122.832] GetLastError () returned 0x1f [0122.832] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0122.832] CloseHandle (hObject=0x214) returned 1 [0123.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0123.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x214 [0123.215] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0123.215] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0123.215] CloseHandle (hObject=0x214) returned 1 [0123.215] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0123.217] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.217] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.217] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x214 [0123.217] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0123.218] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0123.218] CloseHandle (hObject=0x214) returned 1 [0123.218] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0123.219] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.219] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x214 [0123.219] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0123.219] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0123.220] CloseHandle (hObject=0x214) returned 1 [0123.220] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0123.221] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.221] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.221] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0123.221] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0123.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0123.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0123.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.223] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x214 [0123.223] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0123.223] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0123.224] CloseHandle (hObject=0x214) returned 1 [0123.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0123.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.225] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x214 [0123.225] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0123.225] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0123.225] CloseHandle (hObject=0x214) returned 1 [0123.226] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0123.226] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.227] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.227] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x214 [0123.227] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0123.227] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0123.227] CloseHandle (hObject=0x214) returned 1 [0123.227] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0123.228] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.228] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.228] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x214 [0123.228] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0123.229] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0123.229] CloseHandle (hObject=0x214) returned 1 [0123.229] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0123.230] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.230] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.230] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x214 [0123.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0123.230] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0123.231] CloseHandle (hObject=0x214) returned 1 [0123.231] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0123.235] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.235] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.235] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x214 [0123.235] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0123.235] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0123.235] CloseHandle (hObject=0x214) returned 1 [0123.236] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0123.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.237] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.237] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x214 [0123.237] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0123.237] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0123.237] CloseHandle (hObject=0x214) returned 1 [0123.237] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0123.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x214 [0123.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0123.239] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0123.239] CloseHandle (hObject=0x214) returned 1 [0123.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0123.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x214 [0123.240] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0123.241] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0123.241] CloseHandle (hObject=0x214) returned 1 [0123.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0123.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x214 [0123.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0123.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0123.243] CloseHandle (hObject=0x214) returned 1 [0123.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0123.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x214 [0123.244] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0123.244] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0123.244] CloseHandle (hObject=0x214) returned 1 [0123.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0123.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.245] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x214 [0123.246] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0123.246] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0123.246] CloseHandle (hObject=0x214) returned 1 [0123.246] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0123.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.439] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x214 [0123.439] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0123.439] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0123.440] CloseHandle (hObject=0x214) returned 1 [0123.440] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0123.441] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.441] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x214 [0123.441] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0123.441] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0123.441] CloseHandle (hObject=0x214) returned 1 [0123.442] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0123.442] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.443] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.443] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x214 [0123.443] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0123.443] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0123.443] CloseHandle (hObject=0x214) returned 1 [0123.443] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0123.444] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.445] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.445] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x214 [0123.445] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0123.445] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0123.445] CloseHandle (hObject=0x214) returned 1 [0123.446] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0123.446] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.447] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.447] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x214 [0123.447] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0123.447] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0123.447] CloseHandle (hObject=0x214) returned 1 [0123.447] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0123.448] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.448] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.448] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x214 [0123.448] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0123.449] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0123.449] CloseHandle (hObject=0x214) returned 1 [0123.449] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0123.450] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.450] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.450] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x214 [0123.450] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0123.451] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0123.451] CloseHandle (hObject=0x214) returned 1 [0123.451] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0123.515] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.515] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.515] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x214 [0123.516] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.516] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.516] CloseHandle (hObject=0x214) returned 1 [0123.516] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0123.518] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.518] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.518] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x214 [0123.518] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0123.518] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0123.519] CloseHandle (hObject=0x214) returned 1 [0123.519] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0123.520] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.520] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.520] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x214 [0123.521] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.521] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.521] CloseHandle (hObject=0x214) returned 1 [0123.521] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0123.523] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.523] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x214 [0123.523] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0123.523] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0123.524] CloseHandle (hObject=0x214) returned 1 [0123.524] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0123.525] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.525] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.525] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x214 [0123.525] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0123.526] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0123.526] CloseHandle (hObject=0x214) returned 1 [0123.526] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0123.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.527] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x214 [0123.528] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.528] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.528] CloseHandle (hObject=0x214) returned 1 [0123.528] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0123.530] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.530] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.530] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x214 [0123.530] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0123.531] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0123.531] CloseHandle (hObject=0x214) returned 1 [0123.531] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0123.532] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.532] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.533] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x214 [0123.533] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0123.533] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0123.533] CloseHandle (hObject=0x214) returned 1 [0123.533] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0123.535] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.535] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x214 [0123.535] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0123.535] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0123.535] CloseHandle (hObject=0x214) returned 1 [0123.536] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0123.537] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.537] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.537] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x214 [0123.537] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0123.538] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0123.538] CloseHandle (hObject=0x214) returned 1 [0123.538] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0123.539] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.539] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.539] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x214 [0123.540] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0123.540] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0123.540] CloseHandle (hObject=0x214) returned 1 [0123.540] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0123.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x214 [0123.634] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0123.635] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0123.635] CloseHandle (hObject=0x214) returned 1 [0123.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0123.637] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.637] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x214 [0123.637] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.637] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.638] CloseHandle (hObject=0x214) returned 1 [0123.638] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0123.639] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.640] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.640] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x214 [0123.640] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.640] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.640] CloseHandle (hObject=0x214) returned 1 [0123.640] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0123.642] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.642] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.642] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x214 [0123.642] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0123.642] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0123.643] CloseHandle (hObject=0x214) returned 1 [0123.643] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0123.644] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.644] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.644] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x214 [0123.644] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0123.645] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0123.645] CloseHandle (hObject=0x214) returned 1 [0123.645] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0123.646] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.646] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.646] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x214 [0123.647] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0123.647] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0123.647] CloseHandle (hObject=0x214) returned 1 [0123.647] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0123.649] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.649] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x214 [0123.649] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0123.649] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0123.649] CloseHandle (hObject=0x214) returned 1 [0123.650] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0123.651] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.651] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.651] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x214 [0123.651] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.651] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.652] CloseHandle (hObject=0x214) returned 1 [0123.652] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0123.653] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.653] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.653] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x214 [0123.654] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0123.654] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0123.654] CloseHandle (hObject=0x214) returned 1 [0123.654] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0123.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x214 [0123.656] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.656] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0123.656] CloseHandle (hObject=0x214) returned 1 [0123.657] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0123.659] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x214 [0123.659] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0123.660] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0123.660] CloseHandle (hObject=0x214) returned 1 [0123.660] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0123.661] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.661] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x214 [0123.661] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0123.662] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0123.662] CloseHandle (hObject=0x214) returned 1 [0123.662] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0123.663] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.664] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x214 [0123.664] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0123.664] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0123.664] CloseHandle (hObject=0x214) returned 1 [0123.664] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0123.666] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.666] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.666] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x214 [0123.666] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0123.666] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0123.666] CloseHandle (hObject=0x214) returned 1 [0123.666] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0123.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.668] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.668] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x214 [0123.668] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0123.668] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0123.669] CloseHandle (hObject=0x214) returned 1 [0123.669] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0123.731] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.731] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.732] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x214 [0123.733] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0123.733] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0123.733] CloseHandle (hObject=0x214) returned 1 [0123.733] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0123.735] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.735] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.735] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x214 [0123.735] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0123.735] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0123.735] CloseHandle (hObject=0x214) returned 1 [0123.735] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0123.737] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.737] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.737] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x214 [0123.737] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0123.737] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0123.737] CloseHandle (hObject=0x214) returned 1 [0123.737] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0123.739] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.739] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.739] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x214 [0123.739] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0123.739] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0123.740] CloseHandle (hObject=0x214) returned 1 [0123.740] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0123.741] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.741] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.741] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x214 [0123.741] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0123.741] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0123.742] CloseHandle (hObject=0x214) returned 1 [0123.742] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0123.743] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.743] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.743] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x214 [0123.743] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0123.743] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0123.744] CloseHandle (hObject=0x214) returned 1 [0123.744] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0123.745] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.745] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x214 [0123.745] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0123.745] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0123.745] CloseHandle (hObject=0x214) returned 1 [0123.746] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0123.747] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.747] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x214 [0123.747] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0123.747] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0123.747] CloseHandle (hObject=0x214) returned 1 [0123.748] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0123.749] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.749] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.749] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x214 [0123.749] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0123.749] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0123.750] CloseHandle (hObject=0x214) returned 1 [0123.750] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0123.751] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.751] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.751] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x214 [0123.751] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0123.751] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0123.752] CloseHandle (hObject=0x214) returned 1 [0123.752] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0123.753] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.753] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.753] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x214 [0123.753] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0123.754] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0123.754] CloseHandle (hObject=0x214) returned 1 [0123.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 8 [0123.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0123.756] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0123.758] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.758] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.758] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x214 [0123.758] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0123.758] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0123.758] CloseHandle (hObject=0x214) returned 1 [0123.760] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0123.761] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exexeice.exe.exexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0123.761] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0123.863] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.864] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.864] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x214 [0123.864] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0123.865] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0123.865] CloseHandle (hObject=0x214) returned 1 [0123.867] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=16, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 16 [0123.869] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exeream.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0123.869] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0123.870] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.870] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.871] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x214 [0123.871] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0123.871] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0123.872] CloseHandle (hObject=0x214) returned 1 [0123.874] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exem.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0123.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="infopath.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infopath.exeexem.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0123.877] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0123.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x214 [0123.878] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0123.879] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0123.879] CloseHandle (hObject=0x214) returned 1 [0123.880] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=10, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exeem.exee.exexe famous.exe", lpUsedDefaultChar=0x0) returned 10 [0123.881] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0123.883] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.883] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.883] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x214 [0123.883] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0123.883] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0123.884] CloseHandle (hObject=0x214) returned 1 [0123.884] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0123.885] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.885] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x214 [0123.886] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0123.886] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0123.886] CloseHandle (hObject=0x214) returned 1 [0123.886] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0123.887] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.887] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.887] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x214 [0123.887] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0123.888] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0123.888] CloseHandle (hObject=0x214) returned 1 [0123.888] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0123.889] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.889] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.890] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x214 [0123.890] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0123.890] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0123.890] CloseHandle (hObject=0x214) returned 1 [0123.890] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0123.891] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.891] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.891] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x214 [0123.891] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0123.892] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0123.892] CloseHandle (hObject=0x214) returned 1 [0123.892] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0123.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.893] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.893] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x214 [0123.893] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0123.894] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0123.894] CloseHandle (hObject=0x214) returned 1 [0123.894] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0123.980] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.980] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.980] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x214 [0123.980] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0123.981] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0123.981] CloseHandle (hObject=0x214) returned 1 [0123.981] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0123.986] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.986] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.987] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x214 [0123.987] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0123.987] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0123.987] CloseHandle (hObject=0x214) returned 1 [0123.987] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0123.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.989] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.989] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x214 [0123.989] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0123.989] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0123.989] CloseHandle (hObject=0x214) returned 1 [0123.989] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0123.991] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.991] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.991] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x214 [0123.991] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0123.991] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0123.991] CloseHandle (hObject=0x214) returned 1 [0123.991] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0123.992] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.993] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.993] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x214 [0123.993] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0123.993] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0123.993] CloseHandle (hObject=0x214) returned 1 [0123.993] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0123.994] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.995] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.995] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x214 [0123.995] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0123.995] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0123.995] CloseHandle (hObject=0x214) returned 1 [0123.996] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0123.997] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0123.997] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0123.997] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x214 [0123.998] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0123.999] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0123.999] CloseHandle (hObject=0x214) returned 1 [0123.999] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0124.000] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.000] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x214 [0124.000] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0124.001] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0124.001] CloseHandle (hObject=0x214) returned 1 [0124.001] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0124.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x214 [0124.002] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0124.003] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0124.003] CloseHandle (hObject=0x214) returned 1 [0124.003] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x214 [0124.004] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.005] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.005] CloseHandle (hObject=0x214) returned 1 [0124.005] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0124.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.006] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x214 [0124.006] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0124.007] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0124.007] CloseHandle (hObject=0x214) returned 1 [0124.007] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0124.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.008] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.008] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x214 [0124.008] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0124.009] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0124.009] CloseHandle (hObject=0x214) returned 1 [0124.009] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0124.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.010] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.010] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x214 [0124.010] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0124.011] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0124.011] CloseHandle (hObject=0x214) returned 1 [0124.011] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0124.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb94) returned 0x214 [0124.012] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0124.012] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0124.013] CloseHandle (hObject=0x214) returned 1 [0124.018] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x719e0, th32ModuleID=0x50000, cntThreads=0x61304, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???\r???\x09")) returned 0 [0124.019] CloseHandle (hObject=0x20c) returned 1 [0124.019] Sleep (dwMilliseconds=0x1) [0124.108] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0124.108] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a748, cbMultiByte=15, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="isqlplussvc.exexeċssvc.exe") returned 15 [0124.110] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exe", lpUsedDefaultChar=0x0) returned 15 [0124.110] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0124.112] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exesvc.exe", lpUsedDefaultChar=0x0) returned 12 [0124.112] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0124.221] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0124.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.223] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0124.225] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exe", lpUsedDefaultChar=0x0) returned 15 [0124.225] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0124.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.226] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.226] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x214 [0124.226] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 0 [0124.226] GetLastError () returned 0x1f [0124.226] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 0 [0124.226] CloseHandle (hObject=0x214) returned 1 [0124.237] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0124.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x214 [0124.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0124.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62114, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0124.239] CloseHandle (hObject=0x214) returned 1 [0124.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0124.240] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0124.241] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.241] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.241] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x214 [0124.241] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0124.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0124.242] CloseHandle (hObject=0x214) returned 1 [0124.242] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0124.243] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.243] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.243] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0124.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0124.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x214 [0124.244] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0124.245] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0124.245] CloseHandle (hObject=0x214) returned 1 [0124.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0124.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x214 [0124.246] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0124.247] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0124.247] CloseHandle (hObject=0x214) returned 1 [0124.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0124.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x214 [0124.248] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0124.249] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0124.249] CloseHandle (hObject=0x214) returned 1 [0124.249] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.250] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x214 [0124.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.251] CloseHandle (hObject=0x214) returned 1 [0124.251] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0124.251] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.252] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.252] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0124.252] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0124.252] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.253] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.253] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0124.253] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x214 [0124.254] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.254] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.254] CloseHandle (hObject=0x214) returned 1 [0124.254] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0124.255] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.255] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.255] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0124.256] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.257] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x214 [0124.257] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.257] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.257] CloseHandle (hObject=0x214) returned 1 [0124.257] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.258] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x214 [0124.258] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.259] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.259] CloseHandle (hObject=0x214) returned 1 [0124.259] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x214 [0124.562] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.562] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.562] CloseHandle (hObject=0x214) returned 1 [0124.562] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x214 [0124.564] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.564] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.564] CloseHandle (hObject=0x214) returned 1 [0124.564] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.565] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.565] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.565] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x214 [0124.566] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.566] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.566] CloseHandle (hObject=0x214) returned 1 [0124.566] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.567] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.567] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.567] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x214 [0124.567] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.568] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.568] CloseHandle (hObject=0x214) returned 1 [0124.568] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x214 [0124.569] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.570] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.570] CloseHandle (hObject=0x214) returned 1 [0124.570] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x214 [0124.571] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.572] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.572] CloseHandle (hObject=0x214) returned 1 [0124.572] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x214 [0124.573] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.573] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.574] CloseHandle (hObject=0x214) returned 1 [0124.574] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x214 [0124.575] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.576] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.576] CloseHandle (hObject=0x214) returned 1 [0124.578] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0124.580] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exee", lpUsedDefaultChar=0x0) returned 15 [0124.580] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.581] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.581] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.581] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x214 [0124.581] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.582] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.582] CloseHandle (hObject=0x214) returned 1 [0124.584] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exee", lpUsedDefaultChar=0x0) returned 11 [0124.586] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exee", lpUsedDefaultChar=0x0) returned 15 [0124.586] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0124.587] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.587] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.587] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x214 [0124.587] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0124.587] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0124.588] CloseHandle (hObject=0x214) returned 1 [0124.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exee", lpUsedDefaultChar=0x0) returned 11 [0124.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exee", lpUsedDefaultChar=0x0) returned 15 [0124.592] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0124.593] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.593] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.593] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x214 [0124.593] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0124.594] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0124.594] CloseHandle (hObject=0x214) returned 1 [0124.597] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exee", lpUsedDefaultChar=0x0) returned 11 [0124.600] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exee", lpUsedDefaultChar=0x0) returned 15 [0124.600] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0124.601] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.601] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.601] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x214 [0124.601] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0124.601] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0124.602] CloseHandle (hObject=0x214) returned 1 [0124.603] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.604] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.604] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.604] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x214 [0124.605] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.605] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.605] CloseHandle (hObject=0x214) returned 1 [0124.606] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0124.607] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x214 [0124.707] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0124.707] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0124.707] CloseHandle (hObject=0x214) returned 1 [0124.707] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0124.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.709] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.709] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x214 [0124.709] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0124.709] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x620cc, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0124.709] CloseHandle (hObject=0x214) returned 1 [0124.709] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0124.710] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.710] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.710] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x214 [0124.710] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0124.711] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0124.711] CloseHandle (hObject=0x214) returned 1 [0124.711] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0124.712] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.712] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.712] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x214 [0124.712] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0124.713] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0124.713] CloseHandle (hObject=0x214) returned 1 [0124.713] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0124.714] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.714] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.714] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x214 [0124.714] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0124.714] GetLastError () returned 0x1f [0124.714] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0124.714] CloseHandle (hObject=0x214) returned 1 [0124.730] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0124.731] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.731] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.731] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x214 [0124.732] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0124.732] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0124.732] CloseHandle (hObject=0x214) returned 1 [0124.732] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0124.733] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.733] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.733] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x214 [0124.733] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0124.734] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0124.734] CloseHandle (hObject=0x214) returned 1 [0124.734] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0124.735] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.735] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.735] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x214 [0124.735] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0124.735] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0124.736] CloseHandle (hObject=0x214) returned 1 [0124.736] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.737] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.737] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.737] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0124.737] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.738] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.738] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0124.738] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.818] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x214 [0124.819] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.819] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0124.819] CloseHandle (hObject=0x214) returned 1 [0124.819] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0124.820] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.820] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x214 [0124.820] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0124.821] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0124.821] CloseHandle (hObject=0x214) returned 1 [0124.821] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0124.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x214 [0124.822] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0124.822] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0124.823] CloseHandle (hObject=0x214) returned 1 [0124.823] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0124.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.824] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.824] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x214 [0124.824] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0124.824] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0124.824] CloseHandle (hObject=0x214) returned 1 [0124.824] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0124.825] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.825] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x214 [0124.825] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0124.826] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0124.826] CloseHandle (hObject=0x214) returned 1 [0124.826] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0124.827] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.827] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.827] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x214 [0124.827] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0124.827] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0124.828] CloseHandle (hObject=0x214) returned 1 [0124.828] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0124.828] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.829] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x214 [0124.829] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0124.829] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0124.829] CloseHandle (hObject=0x214) returned 1 [0124.829] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0124.830] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.830] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.830] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x214 [0124.830] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0124.831] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0124.831] CloseHandle (hObject=0x214) returned 1 [0124.831] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0124.832] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.832] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.832] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x214 [0124.833] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0124.833] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0124.833] CloseHandle (hObject=0x214) returned 1 [0124.833] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0124.834] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.834] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.834] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x214 [0124.834] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0124.835] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0124.835] CloseHandle (hObject=0x214) returned 1 [0124.835] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0124.836] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.836] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.836] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x214 [0124.836] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0124.836] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0124.837] CloseHandle (hObject=0x214) returned 1 [0124.837] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0124.837] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.838] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.838] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x214 [0124.838] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0124.838] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0124.838] CloseHandle (hObject=0x214) returned 1 [0124.838] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0124.839] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.839] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.839] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x214 [0124.839] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0124.840] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0124.840] CloseHandle (hObject=0x214) returned 1 [0124.840] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0124.841] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.841] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.842] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x214 [0124.842] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0124.842] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0124.842] CloseHandle (hObject=0x214) returned 1 [0124.842] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0124.843] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.843] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.843] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x214 [0124.844] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0124.844] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0124.844] CloseHandle (hObject=0x214) returned 1 [0124.844] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0124.845] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.845] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.845] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x214 [0124.845] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0124.845] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0124.846] CloseHandle (hObject=0x214) returned 1 [0124.846] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0124.847] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.847] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.847] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x214 [0124.847] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0124.847] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0124.847] CloseHandle (hObject=0x214) returned 1 [0124.847] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0124.848] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.848] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.848] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x214 [0124.849] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0124.849] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0124.849] CloseHandle (hObject=0x214) returned 1 [0124.849] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0124.850] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.850] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.850] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x214 [0124.850] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0124.850] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0124.851] CloseHandle (hObject=0x214) returned 1 [0124.851] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0124.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.852] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.852] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x214 [0124.852] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.852] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.852] CloseHandle (hObject=0x214) returned 1 [0124.852] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0124.853] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.854] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.854] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x214 [0124.854] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0124.854] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0124.854] CloseHandle (hObject=0x214) returned 1 [0124.854] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0124.856] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.856] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.856] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x214 [0124.856] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.856] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.856] CloseHandle (hObject=0x214) returned 1 [0124.856] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0124.858] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.858] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.858] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x214 [0124.858] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0124.858] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0124.859] CloseHandle (hObject=0x214) returned 1 [0124.859] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0124.954] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.954] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.954] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x214 [0124.954] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0124.954] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0124.954] CloseHandle (hObject=0x214) returned 1 [0124.954] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0124.955] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.956] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x214 [0124.956] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.956] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.956] CloseHandle (hObject=0x214) returned 1 [0124.956] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0124.957] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.957] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.957] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x214 [0124.957] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0124.957] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0124.958] CloseHandle (hObject=0x214) returned 1 [0124.958] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0124.959] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.959] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.959] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x214 [0124.959] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0124.959] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0124.959] CloseHandle (hObject=0x214) returned 1 [0124.959] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0124.960] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.961] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.961] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x214 [0124.961] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0124.961] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0124.961] CloseHandle (hObject=0x214) returned 1 [0124.961] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0124.962] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.962] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x214 [0124.962] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0124.963] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0124.963] CloseHandle (hObject=0x214) returned 1 [0124.963] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0124.964] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.964] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.964] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x214 [0124.964] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0124.964] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0124.965] CloseHandle (hObject=0x214) returned 1 [0124.965] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0124.966] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.966] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.966] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x214 [0124.966] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0124.966] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0124.967] CloseHandle (hObject=0x214) returned 1 [0124.967] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exe.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 7 [0124.969] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0124.969] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0124.970] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.970] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.970] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x214 [0124.971] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.971] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.971] CloseHandle (hObject=0x214) returned 1 [0124.972] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0124.974] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0124.974] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0124.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.975] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.975] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x214 [0124.975] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.975] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0124.976] CloseHandle (hObject=0x214) returned 1 [0124.977] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ncftp.exexeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 9 [0124.978] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0124.978] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0124.979] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.979] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.979] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x214 [0124.979] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0124.980] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0124.980] CloseHandle (hObject=0x214) returned 1 [0124.981] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 11 [0124.983] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeerpro.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0124.983] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0124.984] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0124.984] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0124.984] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x214 [0124.984] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0124.984] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0124.984] CloseHandle (hObject=0x214) returned 1 [0124.986] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0125.077] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.077] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.077] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x214 [0125.077] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0125.077] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0125.078] CloseHandle (hObject=0x214) returned 1 [0125.078] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0125.079] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.079] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.079] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x214 [0125.080] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0125.080] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0125.080] CloseHandle (hObject=0x214) returned 1 [0125.080] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0125.081] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.082] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.082] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x214 [0125.082] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0125.082] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0125.082] CloseHandle (hObject=0x214) returned 1 [0125.082] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0125.084] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.084] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.084] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x214 [0125.084] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0125.084] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0125.084] CloseHandle (hObject=0x214) returned 1 [0125.084] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0125.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x214 [0125.086] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0125.086] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0125.086] CloseHandle (hObject=0x214) returned 1 [0125.087] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0125.088] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.088] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x214 [0125.088] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0125.088] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0125.089] CloseHandle (hObject=0x214) returned 1 [0125.089] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0125.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x214 [0125.090] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0125.091] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0125.091] CloseHandle (hObject=0x214) returned 1 [0125.093] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="totalcmd.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="totalcmd.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0125.095] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0125.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0125.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x214 [0125.097] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0125.097] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0125.097] CloseHandle (hObject=0x214) returned 1 [0125.099] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0125.101] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0125.101] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0125.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x214 [0125.103] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0125.103] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0125.103] CloseHandle (hObject=0x214) returned 1 [0125.105] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0125.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0125.107] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0125.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x214 [0125.109] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0125.109] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0125.110] CloseHandle (hObject=0x214) returned 1 [0125.111] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 12 [0125.113] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isqlplussvc.exe", cchWideChar=15, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isqlplussvc.exeeexeo.exeexe famous.exe", lpUsedDefaultChar=0x0) returned 15 [0125.113] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0125.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x214 [0125.115] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0125.115] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0125.115] CloseHandle (hObject=0x214) returned 1 [0125.116] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0125.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.118] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.118] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x214 [0125.118] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0125.118] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0125.118] CloseHandle (hObject=0x214) returned 1 [0125.119] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0125.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x214 [0125.120] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0125.121] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0125.121] CloseHandle (hObject=0x214) returned 1 [0125.121] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0125.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.234] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.234] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x214 [0125.234] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0125.234] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0125.234] CloseHandle (hObject=0x214) returned 1 [0125.235] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0125.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.236] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.236] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x214 [0125.236] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0125.236] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0125.236] CloseHandle (hObject=0x214) returned 1 [0125.237] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0125.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x214 [0125.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0125.238] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0125.238] CloseHandle (hObject=0x214) returned 1 [0125.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0125.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x214 [0125.240] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0125.241] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0125.241] CloseHandle (hObject=0x214) returned 1 [0125.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0125.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x214 [0125.242] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0125.243] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0125.243] CloseHandle (hObject=0x214) returned 1 [0125.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0125.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x214 [0125.245] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0125.245] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0125.245] CloseHandle (hObject=0x214) returned 1 [0125.245] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0125.246] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x214 [0125.246] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0125.247] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0125.247] CloseHandle (hObject=0x214) returned 1 [0125.247] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0125.248] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.248] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.248] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x214 [0125.248] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0125.249] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0125.249] CloseHandle (hObject=0x214) returned 1 [0125.249] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0125.250] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.251] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x214 [0125.251] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0125.251] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0125.251] CloseHandle (hObject=0x214) returned 1 [0125.251] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0125.252] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.252] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.252] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x214 [0125.253] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0125.253] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0125.253] CloseHandle (hObject=0x214) returned 1 [0125.253] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0125.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x214 [0125.255] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0125.255] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0125.255] CloseHandle (hObject=0x214) returned 1 [0125.255] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0125.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.257] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x214 [0125.257] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0125.257] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0125.257] CloseHandle (hObject=0x214) returned 1 [0125.257] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0125.258] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x214 [0125.259] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0125.259] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0125.259] CloseHandle (hObject=0x214) returned 1 [0125.259] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0125.260] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.260] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x214 [0125.261] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0125.261] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0125.261] CloseHandle (hObject=0x214) returned 1 [0125.261] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0125.262] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.262] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.262] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x214 [0125.262] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0125.263] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0125.263] CloseHandle (hObject=0x214) returned 1 [0125.263] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0125.264] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.264] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.264] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x214 [0125.264] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0125.266] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0125.266] CloseHandle (hObject=0x214) returned 1 [0125.266] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0125.267] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.267] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.267] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x214 [0125.267] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0125.268] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0125.268] CloseHandle (hObject=0x214) returned 1 [0125.268] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0125.348] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.348] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.348] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x214 [0125.348] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0125.348] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0125.349] CloseHandle (hObject=0x214) returned 1 [0125.349] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0125.350] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.350] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.350] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x214 [0125.350] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0125.350] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0125.351] CloseHandle (hObject=0x214) returned 1 [0125.351] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0125.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.352] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.352] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x214 [0125.352] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0125.352] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0125.353] CloseHandle (hObject=0x214) returned 1 [0125.353] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0125.354] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.354] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.354] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x214 [0125.354] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0125.354] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0125.355] CloseHandle (hObject=0x214) returned 1 [0125.355] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0125.356] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.356] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.356] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x214 [0125.356] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0125.356] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0125.356] CloseHandle (hObject=0x214) returned 1 [0125.357] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0125.358] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.358] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.358] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x214 [0125.358] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0125.358] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0125.358] CloseHandle (hObject=0x214) returned 1 [0125.358] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0125.360] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.360] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.360] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x214 [0125.360] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0125.360] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0125.360] CloseHandle (hObject=0x214) returned 1 [0125.360] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0125.361] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.362] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.362] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x214 [0125.362] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0125.362] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0125.362] CloseHandle (hObject=0x214) returned 1 [0125.362] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0125.363] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.363] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x214 [0125.364] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0125.364] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0125.364] CloseHandle (hObject=0x214) returned 1 [0125.364] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0125.365] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.365] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.366] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x214 [0125.366] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0125.366] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0125.366] CloseHandle (hObject=0x214) returned 1 [0125.366] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.367] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.367] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x214 [0125.368] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.368] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.368] CloseHandle (hObject=0x214) returned 1 [0125.368] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0125.369] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.369] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.369] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x214 [0125.370] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0125.371] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0125.371] CloseHandle (hObject=0x214) returned 1 [0125.371] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0125.373] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.373] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.373] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x214 [0125.373] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0125.374] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0125.374] CloseHandle (hObject=0x214) returned 1 [0125.374] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0125.375] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.375] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.375] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x214 [0125.375] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0125.376] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0125.376] CloseHandle (hObject=0x214) returned 1 [0125.376] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0125.377] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.377] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.377] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb94) returned 0x214 [0125.377] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0125.377] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0125.378] CloseHandle (hObject=0x214) returned 1 [0125.378] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0125.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1360) returned 0x214 [0125.379] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0125.379] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0125.380] CloseHandle (hObject=0x214) returned 1 [0125.380] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x712b0, th32ModuleID=0x50000, cntThreads=0x710a4, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??¢???")) returned 0 [0125.380] CloseHandle (hObject=0x20c) returned 1 [0125.447] Sleep (dwMilliseconds=0x1) [0125.587] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0125.587] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359810, cbMultiByte=11, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="kingdee.exe.exexeċssvc.exe") returned 11 [0125.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be594, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exe", lpUsedDefaultChar=0x0) returned 11 [0125.589] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0125.602] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x10be590, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exeexe", lpUsedDefaultChar=0x0) returned 12 [0125.603] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0125.614] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0125.615] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.615] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.616] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0125.617] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exe", lpUsedDefaultChar=0x0) returned 11 [0125.617] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0125.618] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.618] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.618] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x214 [0125.618] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0125.618] GetLastError () returned 0x1f [0125.619] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0125.619] CloseHandle (hObject=0x214) returned 1 [0125.690] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0125.691] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.691] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x214 [0125.691] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0125.692] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0125.692] CloseHandle (hObject=0x214) returned 1 [0125.692] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0125.693] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.693] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0125.693] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0125.694] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.694] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.694] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x214 [0125.694] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0125.695] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0125.695] CloseHandle (hObject=0x214) returned 1 [0125.695] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0125.696] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.696] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.696] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0125.696] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0125.697] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.697] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.697] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x214 [0125.697] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0125.697] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0125.698] CloseHandle (hObject=0x214) returned 1 [0125.698] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0125.699] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.699] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.699] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x214 [0125.699] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0125.699] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0125.700] CloseHandle (hObject=0x214) returned 1 [0125.700] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0125.701] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.701] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.701] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x214 [0125.701] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0125.701] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0125.701] CloseHandle (hObject=0x214) returned 1 [0125.702] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.702] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.702] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.703] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x214 [0125.703] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.703] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.703] CloseHandle (hObject=0x214) returned 1 [0125.703] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0125.704] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.704] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.704] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0125.704] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0125.705] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.705] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.705] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0125.705] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.706] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.706] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.706] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x214 [0125.706] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.707] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.707] CloseHandle (hObject=0x214) returned 1 [0125.707] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0125.708] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.708] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.708] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0125.708] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.709] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.709] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.709] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x214 [0125.709] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.710] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.710] CloseHandle (hObject=0x214) returned 1 [0125.710] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.711] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.711] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.711] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x214 [0125.711] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.712] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.712] CloseHandle (hObject=0x214) returned 1 [0125.712] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.713] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.713] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.713] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x214 [0125.713] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.714] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.714] CloseHandle (hObject=0x214) returned 1 [0125.714] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.715] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.715] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.715] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x214 [0125.715] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.716] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.716] CloseHandle (hObject=0x214) returned 1 [0125.716] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.717] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.717] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.717] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x214 [0125.717] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.717] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.718] CloseHandle (hObject=0x214) returned 1 [0125.718] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.718] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.719] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.719] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x214 [0125.719] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.719] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.719] CloseHandle (hObject=0x214) returned 1 [0125.719] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.720] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.720] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.721] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x214 [0125.721] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.721] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.721] CloseHandle (hObject=0x214) returned 1 [0125.721] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.722] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.722] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.722] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x214 [0125.722] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.723] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.723] CloseHandle (hObject=0x214) returned 1 [0125.723] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.724] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.724] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.724] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x214 [0125.724] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.858] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.859] CloseHandle (hObject=0x214) returned 1 [0125.859] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.860] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.860] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.860] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x214 [0125.860] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.860] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.860] CloseHandle (hObject=0x214) returned 1 [0125.861] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.861] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.862] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.862] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x214 [0125.862] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.862] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.862] CloseHandle (hObject=0x214) returned 1 [0125.862] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0125.867] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.867] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.867] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x214 [0125.867] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0125.867] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0125.867] CloseHandle (hObject=0x214) returned 1 [0125.867] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0125.868] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.868] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.869] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x214 [0125.869] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0125.869] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0125.869] CloseHandle (hObject=0x214) returned 1 [0125.869] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0125.870] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.870] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.870] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x214 [0125.870] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0125.872] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0125.872] CloseHandle (hObject=0x214) returned 1 [0125.872] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0125.873] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.873] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.873] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x214 [0125.873] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.873] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0125.874] CloseHandle (hObject=0x214) returned 1 [0125.874] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0125.875] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.875] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.875] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x214 [0125.875] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0125.875] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0125.876] CloseHandle (hObject=0x214) returned 1 [0125.876] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0125.877] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.877] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.877] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x214 [0125.877] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0125.877] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0125.877] CloseHandle (hObject=0x214) returned 1 [0125.878] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0125.878] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.878] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x214 [0125.879] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0125.879] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0125.879] CloseHandle (hObject=0x214) returned 1 [0125.879] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0125.880] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.880] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.880] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x214 [0125.880] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0125.881] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0125.881] CloseHandle (hObject=0x214) returned 1 [0125.881] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0125.884] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0125.884] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0125.884] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x214 [0125.885] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0125.885] GetLastError () returned 0x1f [0125.887] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0125.887] CloseHandle (hObject=0x214) returned 1 [0126.000] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0126.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.001] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.001] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x214 [0126.001] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0126.002] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0126.002] CloseHandle (hObject=0x214) returned 1 [0126.002] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0126.003] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.003] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.003] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x214 [0126.003] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0126.004] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0126.004] CloseHandle (hObject=0x214) returned 1 [0126.004] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0126.005] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.005] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.005] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x214 [0126.005] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0126.005] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0126.005] CloseHandle (hObject=0x214) returned 1 [0126.006] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0126.006] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.007] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.007] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0126.010] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0126.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0126.011] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0126.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0126.015] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="RuntimeBroker.exe", cchWideChar=17, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RuntimeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 17 [0126.017] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exeBroker.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0126.017] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.018] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.018] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x214 [0126.018] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0126.019] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0126.019] CloseHandle (hObject=0x214) returned 1 [0126.021] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exeer.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0126.022] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exe.exeer.exest.exe", lpUsedDefaultChar=0x0) returned 11 [0126.022] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0126.023] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.023] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.023] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x214 [0126.024] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0126.024] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0126.024] CloseHandle (hObject=0x214) returned 1 [0126.027] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="prairie-rebates.exe", cchWideChar=19, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="prairie-rebates.exe.exe", lpUsedDefaultChar=0x0) returned 19 [0126.028] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="kingdee.exe", cchWideChar=11, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kingdee.exe-rebates.exe.exe", lpUsedDefaultChar=0x0) returned 11 [0126.028] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0126.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x214 [0126.029] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0126.030] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0126.030] CloseHandle (hObject=0x214) returned 1 [0126.031] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0126.076] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.076] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.076] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x214 [0126.077] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0126.077] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0126.077] CloseHandle (hObject=0x214) returned 1 [0126.078] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0126.079] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.079] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.079] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x214 [0126.079] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0126.079] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0126.079] CloseHandle (hObject=0x214) returned 1 [0126.079] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0126.080] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.080] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x214 [0126.081] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0126.081] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0126.081] CloseHandle (hObject=0x214) returned 1 [0126.081] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0126.082] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.082] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.082] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x214 [0126.082] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0126.082] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0126.083] CloseHandle (hObject=0x214) returned 1 [0126.083] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0126.084] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.084] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.084] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x214 [0126.084] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0126.084] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0126.085] CloseHandle (hObject=0x214) returned 1 [0126.085] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0126.086] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.086] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x214 [0126.086] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0126.086] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0126.086] CloseHandle (hObject=0x214) returned 1 [0126.086] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0126.087] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.087] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.087] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x214 [0126.087] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0126.088] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0126.088] CloseHandle (hObject=0x214) returned 1 [0126.088] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0126.089] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.089] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.089] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x214 [0126.089] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0126.089] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0126.090] CloseHandle (hObject=0x214) returned 1 [0126.090] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0126.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.091] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.091] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x214 [0126.091] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0126.091] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0126.091] CloseHandle (hObject=0x214) returned 1 [0126.091] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0126.092] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.092] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.092] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x214 [0126.093] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0126.093] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0126.093] CloseHandle (hObject=0x214) returned 1 [0126.093] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0126.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x214 [0126.094] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0126.094] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0126.095] CloseHandle (hObject=0x214) returned 1 [0126.095] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0126.096] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.096] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.096] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x214 [0126.096] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0126.096] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0126.096] CloseHandle (hObject=0x214) returned 1 [0126.096] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0126.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x214 [0126.097] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0126.098] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0126.098] CloseHandle (hObject=0x214) returned 1 [0126.098] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0126.099] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x214 [0126.099] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0126.099] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0126.100] CloseHandle (hObject=0x214) returned 1 [0126.100] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0126.101] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.101] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.101] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x214 [0126.101] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0126.101] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0126.102] CloseHandle (hObject=0x214) returned 1 [0126.102] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0126.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.103] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.103] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x214 [0126.103] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0126.103] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0126.103] CloseHandle (hObject=0x214) returned 1 [0126.103] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0126.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x214 [0126.105] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.105] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.105] CloseHandle (hObject=0x214) returned 1 [0126.106] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0126.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x214 [0126.107] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0126.107] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0126.108] CloseHandle (hObject=0x214) returned 1 [0126.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0126.152] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.153] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.153] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x214 [0126.153] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.153] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.153] CloseHandle (hObject=0x214) returned 1 [0126.153] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0126.155] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.155] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.155] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x214 [0126.155] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0126.155] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0126.156] CloseHandle (hObject=0x214) returned 1 [0126.156] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0126.157] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.157] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.157] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x214 [0126.157] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0126.158] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0126.158] CloseHandle (hObject=0x214) returned 1 [0126.158] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0126.159] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.159] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.160] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x214 [0126.160] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.160] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.160] CloseHandle (hObject=0x214) returned 1 [0126.160] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0126.162] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.162] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.162] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x214 [0126.162] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0126.162] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0126.163] CloseHandle (hObject=0x214) returned 1 [0126.163] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0126.164] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.164] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.164] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x214 [0126.164] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0126.165] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0126.165] CloseHandle (hObject=0x214) returned 1 [0126.165] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0126.166] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.166] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.167] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x214 [0126.167] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0126.167] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0126.167] CloseHandle (hObject=0x214) returned 1 [0126.167] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0126.169] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.169] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.169] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x214 [0126.169] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0126.169] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0126.169] CloseHandle (hObject=0x214) returned 1 [0126.169] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0126.171] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.171] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.171] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x214 [0126.171] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0126.171] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0126.171] CloseHandle (hObject=0x214) returned 1 [0126.172] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0126.173] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.173] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x214 [0126.173] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0126.174] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0126.174] CloseHandle (hObject=0x214) returned 1 [0126.174] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0126.175] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.175] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.175] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x214 [0126.175] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.176] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.176] CloseHandle (hObject=0x214) returned 1 [0126.176] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0126.177] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.178] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.178] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x214 [0126.178] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.178] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.178] CloseHandle (hObject=0x214) returned 1 [0126.178] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0126.180] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.180] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.180] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x214 [0126.180] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0126.180] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0126.180] CloseHandle (hObject=0x214) returned 1 [0126.180] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0126.182] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.182] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x214 [0126.182] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0126.182] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0126.182] CloseHandle (hObject=0x214) returned 1 [0126.183] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0126.184] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.184] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.184] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x214 [0126.184] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0126.184] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0126.185] CloseHandle (hObject=0x214) returned 1 [0126.185] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0126.186] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.186] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.186] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x214 [0126.186] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0126.186] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0126.187] CloseHandle (hObject=0x214) returned 1 [0126.187] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0126.188] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.188] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.188] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x214 [0126.188] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.189] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.189] CloseHandle (hObject=0x214) returned 1 [0126.189] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0126.190] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.190] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.190] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x214 [0126.190] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0126.191] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0126.191] CloseHandle (hObject=0x214) returned 1 [0126.191] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0126.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x214 [0126.247] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.248] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0126.248] CloseHandle (hObject=0x214) returned 1 [0126.248] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0126.249] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.250] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x214 [0126.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0126.250] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0126.250] CloseHandle (hObject=0x214) returned 1 [0126.250] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0126.252] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.252] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.252] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x214 [0126.252] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0126.252] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0126.252] CloseHandle (hObject=0x214) returned 1 [0126.253] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0126.254] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.254] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x214 [0126.254] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0126.254] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0126.255] CloseHandle (hObject=0x214) returned 1 [0126.255] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0126.256] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.256] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.256] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x214 [0126.256] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0126.256] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0126.257] CloseHandle (hObject=0x214) returned 1 [0126.257] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0126.258] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.258] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.258] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x214 [0126.258] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0126.259] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0126.259] CloseHandle (hObject=0x214) returned 1 [0126.259] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0126.260] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.260] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x214 [0126.260] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0126.261] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0126.261] CloseHandle (hObject=0x214) returned 1 [0126.261] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0126.262] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.262] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.262] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x214 [0126.262] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0126.263] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0126.263] CloseHandle (hObject=0x214) returned 1 [0126.263] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0126.265] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.266] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.266] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x214 [0126.266] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0126.266] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0126.266] CloseHandle (hObject=0x214) returned 1 [0126.266] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0126.267] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.268] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.268] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x214 [0126.268] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0126.268] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0126.268] CloseHandle (hObject=0x214) returned 1 [0126.268] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0126.269] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.270] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.270] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x214 [0126.270] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0126.270] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0126.270] CloseHandle (hObject=0x214) returned 1 [0126.270] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0126.272] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.272] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.272] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x214 [0126.272] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0126.272] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0126.273] CloseHandle (hObject=0x214) returned 1 [0126.273] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0126.274] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.274] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.274] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x214 [0126.274] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0126.274] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0126.275] CloseHandle (hObject=0x214) returned 1 [0126.275] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0126.276] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.276] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.276] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x214 [0126.276] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0126.276] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0126.276] CloseHandle (hObject=0x214) returned 1 [0126.277] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0126.278] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x214 [0126.278] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0126.279] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0126.279] CloseHandle (hObject=0x214) returned 1 [0126.279] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0126.280] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.280] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x214 [0126.280] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0126.281] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0126.281] CloseHandle (hObject=0x214) returned 1 [0126.281] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0126.282] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.282] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.282] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x214 [0126.282] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0126.283] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0126.283] CloseHandle (hObject=0x214) returned 1 [0126.283] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0126.319] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.320] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.320] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x214 [0126.320] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0126.320] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0126.320] CloseHandle (hObject=0x214) returned 1 [0126.320] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0126.322] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.322] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.322] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x214 [0126.322] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0126.322] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0126.322] CloseHandle (hObject=0x214) returned 1 [0126.322] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0126.324] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.324] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.324] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x214 [0126.324] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0126.324] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0126.324] CloseHandle (hObject=0x214) returned 1 [0126.324] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0126.326] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.326] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.326] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x214 [0126.326] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0126.326] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0126.326] CloseHandle (hObject=0x214) returned 1 [0126.326] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0126.327] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.328] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.328] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x214 [0126.328] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0126.328] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0126.328] CloseHandle (hObject=0x214) returned 1 [0126.328] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0126.329] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.330] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.330] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x214 [0126.330] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0126.330] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0126.330] CloseHandle (hObject=0x214) returned 1 [0126.330] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0126.331] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.331] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.331] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x214 [0126.332] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0126.332] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0126.332] CloseHandle (hObject=0x214) returned 1 [0126.332] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0126.333] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.333] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.333] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x214 [0126.333] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0126.334] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0126.334] CloseHandle (hObject=0x214) returned 1 [0126.334] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0126.335] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.335] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.335] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x214 [0126.336] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0126.336] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0126.336] CloseHandle (hObject=0x214) returned 1 [0126.336] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0126.337] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.337] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.338] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x214 [0126.338] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0126.338] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0126.338] CloseHandle (hObject=0x214) returned 1 [0126.338] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0126.339] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.339] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.339] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x214 [0126.339] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0126.340] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0126.340] CloseHandle (hObject=0x214) returned 1 [0126.340] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0126.341] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.341] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.341] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x214 [0126.341] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0126.342] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0126.342] CloseHandle (hObject=0x214) returned 1 [0126.342] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0126.343] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.343] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.343] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x214 [0126.343] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0126.344] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0126.344] CloseHandle (hObject=0x214) returned 1 [0126.344] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0126.345] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.345] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.345] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x214 [0126.345] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0126.345] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0126.346] CloseHandle (hObject=0x214) returned 1 [0126.346] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0126.347] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.347] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.347] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x214 [0126.347] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0126.347] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0126.348] CloseHandle (hObject=0x214) returned 1 [0126.348] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0126.349] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.349] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.349] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x214 [0126.349] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0126.349] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0126.350] CloseHandle (hObject=0x214) returned 1 [0126.350] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0126.351] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.351] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.351] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x214 [0126.351] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0126.406] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0126.565] CloseHandle (hObject=0x214) returned 1 [0126.565] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0126.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x214 [0126.567] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0126.567] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0126.567] CloseHandle (hObject=0x214) returned 1 [0126.567] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0126.569] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.569] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.569] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x214 [0126.569] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0126.569] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0126.570] CloseHandle (hObject=0x214) returned 1 [0126.570] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0126.571] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.571] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.571] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x214 [0126.571] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0126.571] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0126.572] CloseHandle (hObject=0x214) returned 1 [0126.572] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0126.573] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.573] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x214 [0126.573] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0126.573] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0126.574] CloseHandle (hObject=0x214) returned 1 [0126.574] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0126.575] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.575] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x214 [0126.575] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0126.575] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0126.575] CloseHandle (hObject=0x214) returned 1 [0126.575] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0126.576] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.576] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.576] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x214 [0126.577] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0126.577] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0126.577] CloseHandle (hObject=0x214) returned 1 [0126.577] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0126.578] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.578] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.578] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb94) returned 0x214 [0126.578] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0126.579] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0126.579] CloseHandle (hObject=0x214) returned 1 [0126.579] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0126.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.580] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1360) returned 0x214 [0126.580] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0126.580] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0126.581] CloseHandle (hObject=0x214) returned 1 [0126.581] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0126.582] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0126.582] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0126.582] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1310) returned 0x214 [0126.582] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0126.582] GetLastError () returned 0x1f [0126.582] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0126.582] CloseHandle (hObject=0x214) returned 1 [0126.598] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x7bfe0, th32ModuleID=0x50000, cntThreads=0x2b, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??")) returned 0 [0126.599] CloseHandle (hObject=0x20c) returned 1 [0127.528] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0127.528] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a768, cbMultiByte=12, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="msaccess.exeexexeċssvc.exe") returned 12 [0127.528] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0127.529] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0127.541] Process32First (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0127.542] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.542] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.542] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0127.544] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe\x0c", lpUsedDefaultChar=0x0) returned 12 [0127.544] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0127.545] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.545] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.545] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x214 [0127.545] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0127.545] GetLastError () returned 0x1f [0127.545] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0127.546] CloseHandle (hObject=0x214) returned 1 [0127.560] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0127.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x214 [0127.561] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0127.562] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0127.562] CloseHandle (hObject=0x214) returned 1 [0127.562] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0127.563] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0127.564] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.564] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.564] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x214 [0127.565] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0127.565] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0127.565] CloseHandle (hObject=0x214) returned 1 [0127.565] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0127.566] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.566] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.566] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0127.566] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0127.618] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.618] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.618] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x214 [0127.619] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0127.619] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0127.619] CloseHandle (hObject=0x214) returned 1 [0127.619] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0127.620] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.620] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.620] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x214 [0127.620] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0127.621] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0127.621] CloseHandle (hObject=0x214) returned 1 [0127.621] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0127.622] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.622] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.622] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x214 [0127.622] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0127.622] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0127.623] CloseHandle (hObject=0x214) returned 1 [0127.623] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.624] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.624] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.624] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x214 [0127.624] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.624] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.624] CloseHandle (hObject=0x214) returned 1 [0127.625] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0127.625] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.626] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.626] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0127.626] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0127.627] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.627] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.627] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0127.627] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.628] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.628] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.628] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x214 [0127.628] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.628] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.628] CloseHandle (hObject=0x214) returned 1 [0127.629] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0127.629] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.630] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.630] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0127.630] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.630] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.631] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.631] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x214 [0127.631] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.631] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.631] CloseHandle (hObject=0x214) returned 1 [0127.632] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.633] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.633] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.633] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x214 [0127.633] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.633] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.633] CloseHandle (hObject=0x214) returned 1 [0127.634] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.634] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.634] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.635] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x214 [0127.635] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.635] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.635] CloseHandle (hObject=0x214) returned 1 [0127.635] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.636] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.636] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.636] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x214 [0127.636] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.637] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.637] CloseHandle (hObject=0x214) returned 1 [0127.637] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.638] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.638] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.638] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x214 [0127.638] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.638] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.639] CloseHandle (hObject=0x214) returned 1 [0127.639] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.640] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.640] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.640] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x214 [0127.640] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.640] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.640] CloseHandle (hObject=0x214) returned 1 [0127.640] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.641] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.641] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x214 [0127.642] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.642] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.642] CloseHandle (hObject=0x214) returned 1 [0127.642] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.643] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.643] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.643] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x214 [0127.643] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.644] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.644] CloseHandle (hObject=0x214) returned 1 [0127.644] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.645] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.645] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.645] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x214 [0127.645] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.645] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.645] CloseHandle (hObject=0x214) returned 1 [0127.646] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.647] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.647] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x214 [0127.647] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.647] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.648] CloseHandle (hObject=0x214) returned 1 [0127.648] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.649] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.649] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x214 [0127.649] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.649] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.650] CloseHandle (hObject=0x214) returned 1 [0127.650] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0127.650] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.651] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.651] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x214 [0127.651] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0127.651] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0127.651] CloseHandle (hObject=0x214) returned 1 [0127.651] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0127.652] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.652] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x214 [0127.652] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0127.653] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0127.653] CloseHandle (hObject=0x214) returned 1 [0127.653] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0127.654] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.654] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.654] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x214 [0127.654] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0127.654] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0127.655] CloseHandle (hObject=0x214) returned 1 [0127.655] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.656] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x214 [0127.656] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.656] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.656] CloseHandle (hObject=0x214) returned 1 [0127.656] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0127.657] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.657] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.657] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x214 [0127.658] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0127.658] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0127.658] CloseHandle (hObject=0x214) returned 1 [0127.658] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0127.659] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.659] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.659] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x214 [0127.659] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0127.659] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0127.660] CloseHandle (hObject=0x214) returned 1 [0127.660] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0127.661] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.661] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.661] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x214 [0127.661] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0127.661] QueryFullProcessImageNameW (in: hProcess=0x214, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0127.661] CloseHandle (hObject=0x214) returned 1 [0127.662] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0127.903] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.903] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x220 [0127.903] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0127.903] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0127.903] CloseHandle (hObject=0x220) returned 1 [0127.903] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0127.904] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.904] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.904] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x220 [0127.904] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0127.905] GetLastError () returned 0x1f [0127.905] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0127.905] CloseHandle (hObject=0x220) returned 1 [0127.916] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0127.917] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.917] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.917] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x220 [0127.917] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0127.918] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0127.918] CloseHandle (hObject=0x220) returned 1 [0127.918] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0127.919] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.919] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.919] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x220 [0127.919] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0127.919] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0127.919] CloseHandle (hObject=0x220) returned 1 [0127.919] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0127.920] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.920] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.920] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x220 [0127.920] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0127.920] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0127.921] CloseHandle (hObject=0x220) returned 1 [0127.921] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0127.921] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.921] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.921] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0127.922] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0127.922] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.922] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.922] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0127.922] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0127.923] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.923] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.923] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x220 [0127.923] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.923] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0127.924] CloseHandle (hObject=0x220) returned 1 [0127.924] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0127.924] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.924] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.924] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x220 [0127.925] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0127.925] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0127.925] CloseHandle (hObject=0x220) returned 1 [0127.925] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0127.926] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.926] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.926] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x220 [0127.926] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0127.926] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0127.926] CloseHandle (hObject=0x220) returned 1 [0127.926] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0127.927] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.927] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.928] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x220 [0127.928] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0127.928] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0127.929] CloseHandle (hObject=0x220) returned 1 [0127.932] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="crossing.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="crossing.exetes.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0127.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe.exetes.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0127.934] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0127.935] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0127.935] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0127.935] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x220 [0127.936] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0127.936] QueryFullProcessImageNameW (in: hProcess=0x220, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0127.936] CloseHandle (hObject=0x220) returned 1 [0128.194] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="text.exe", cchWideChar=8, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="text.exe.exetes.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0128.196] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe.exetes.exe.exe", lpUsedDefaultChar=0x0) returned 12 [0128.196] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0128.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.197] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x228 [0128.197] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0128.198] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0128.198] CloseHandle (hObject=0x228) returned 1 [0128.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="regarded freebsd olive.exe", cchWideChar=26, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="regarded freebsd olive.exe", lpUsedDefaultChar=0x0) returned 26 [0128.203] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe freebsd olive.exe", lpUsedDefaultChar=0x0) returned 12 [0128.203] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0128.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x228 [0128.204] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0128.205] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0128.205] CloseHandle (hObject=0x228) returned 1 [0128.206] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="two.exe", cchWideChar=7, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="two.exee freebsd olive.exe", lpUsedDefaultChar=0x0) returned 7 [0128.208] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exe freebsd olive.exe", lpUsedDefaultChar=0x0) returned 12 [0128.208] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0128.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x228 [0128.209] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0128.210] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0128.211] CloseHandle (hObject=0x228) returned 1 [0128.213] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0128.213] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x228 [0128.214] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0128.214] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0128.214] CloseHandle (hObject=0x228) returned 1 [0128.215] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0128.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x228 [0128.216] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0128.217] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0128.217] CloseHandle (hObject=0x228) returned 1 [0128.217] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0128.218] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.218] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.218] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x228 [0128.218] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0128.218] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0128.219] CloseHandle (hObject=0x228) returned 1 [0128.219] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0128.220] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.220] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.220] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x228 [0128.220] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0128.220] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0128.221] CloseHandle (hObject=0x228) returned 1 [0128.221] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0128.222] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.222] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.222] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x228 [0128.222] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0128.222] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0128.222] CloseHandle (hObject=0x228) returned 1 [0128.222] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0128.223] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.224] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.224] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x228 [0128.224] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0128.224] QueryFullProcessImageNameW (in: hProcess=0x228, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0128.224] CloseHandle (hObject=0x228) returned 1 [0128.224] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0128.225] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.225] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.285] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x224 [0128.285] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0128.369] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0128.369] CloseHandle (hObject=0x224) returned 1 [0128.369] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0128.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.371] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.371] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x224 [0128.371] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0128.371] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0128.371] CloseHandle (hObject=0x224) returned 1 [0128.371] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0128.372] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.372] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x224 [0128.372] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0128.373] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0128.373] CloseHandle (hObject=0x224) returned 1 [0128.373] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0128.374] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.374] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x224 [0128.374] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0128.375] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0128.375] CloseHandle (hObject=0x224) returned 1 [0128.375] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0128.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.376] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.376] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x224 [0128.376] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0128.376] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0128.376] CloseHandle (hObject=0x224) returned 1 [0128.376] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0128.378] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.378] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x224 [0128.378] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.378] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.378] CloseHandle (hObject=0x224) returned 1 [0128.379] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0128.380] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.380] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.380] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x224 [0128.380] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0128.380] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0128.381] CloseHandle (hObject=0x224) returned 1 [0128.381] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0128.382] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.382] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.382] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x224 [0128.382] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.382] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.383] CloseHandle (hObject=0x224) returned 1 [0128.383] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0128.384] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.384] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.384] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x224 [0128.384] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0128.385] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0128.385] CloseHandle (hObject=0x224) returned 1 [0128.385] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0128.386] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.386] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.386] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x224 [0128.386] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0128.387] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0128.387] CloseHandle (hObject=0x224) returned 1 [0128.387] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0128.388] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.388] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.389] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x224 [0128.389] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.389] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.389] CloseHandle (hObject=0x224) returned 1 [0128.389] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0128.390] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.391] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.391] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x224 [0128.391] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0128.391] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0128.391] CloseHandle (hObject=0x224) returned 1 [0128.391] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0128.393] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.393] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.393] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x224 [0128.393] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0128.393] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0128.394] CloseHandle (hObject=0x224) returned 1 [0128.394] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0128.395] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.395] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.395] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x224 [0128.395] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0128.395] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0128.396] CloseHandle (hObject=0x224) returned 1 [0128.396] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0128.397] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.397] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.397] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x224 [0128.397] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0128.398] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0128.398] CloseHandle (hObject=0x224) returned 1 [0128.398] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0128.399] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.399] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.399] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x224 [0128.399] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0128.400] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0128.400] CloseHandle (hObject=0x224) returned 1 [0128.400] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0128.401] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.401] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.402] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x224 [0128.402] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0128.402] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0128.402] CloseHandle (hObject=0x224) returned 1 [0128.402] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0128.403] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0128.404] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0128.404] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x224 [0128.404] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0128.460] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.017] CloseHandle (hObject=0x224) returned 1 [0129.017] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0129.018] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x224 [0129.019] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.019] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.019] CloseHandle (hObject=0x224) returned 1 [0129.019] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0129.020] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.020] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.020] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x224 [0129.021] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0129.021] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0129.021] CloseHandle (hObject=0x224) returned 1 [0129.021] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0129.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.022] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.022] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x224 [0129.022] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0129.023] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0129.023] CloseHandle (hObject=0x224) returned 1 [0129.023] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0129.024] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.024] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.024] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x224 [0129.024] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0129.024] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0129.024] CloseHandle (hObject=0x224) returned 1 [0129.024] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0129.025] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.025] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.025] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x224 [0129.025] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0129.026] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0129.026] CloseHandle (hObject=0x224) returned 1 [0129.026] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0129.027] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.027] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.027] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x224 [0129.027] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.027] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.028] CloseHandle (hObject=0x224) returned 1 [0129.028] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0129.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.029] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.029] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x224 [0129.029] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0129.032] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0129.032] CloseHandle (hObject=0x224) returned 1 [0129.032] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0129.033] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.034] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.034] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x224 [0129.034] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.034] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0129.034] CloseHandle (hObject=0x224) returned 1 [0129.034] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0129.035] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.035] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.035] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x224 [0129.035] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0129.036] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0129.036] CloseHandle (hObject=0x224) returned 1 [0129.036] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0129.037] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.037] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.037] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x224 [0129.037] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0129.037] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0129.037] CloseHandle (hObject=0x224) returned 1 [0129.038] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0129.038] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.039] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.039] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x224 [0129.039] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0129.039] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0129.039] CloseHandle (hObject=0x224) returned 1 [0129.039] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0129.040] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.040] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.040] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x224 [0129.040] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0129.041] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0129.041] CloseHandle (hObject=0x224) returned 1 [0129.041] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0129.042] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.042] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.042] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x224 [0129.042] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0129.042] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0129.043] CloseHandle (hObject=0x224) returned 1 [0129.043] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0129.044] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.044] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.044] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x224 [0129.044] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0129.044] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0129.045] CloseHandle (hObject=0x224) returned 1 [0129.045] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0129.046] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.046] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.046] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x224 [0129.047] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0129.047] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0129.047] CloseHandle (hObject=0x224) returned 1 [0129.047] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0129.048] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.049] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.049] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x224 [0129.049] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0129.049] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0129.049] CloseHandle (hObject=0x224) returned 1 [0129.049] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0129.051] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.051] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.051] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x224 [0129.051] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0129.051] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0129.051] CloseHandle (hObject=0x224) returned 1 [0129.051] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0129.053] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.053] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.053] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x224 [0129.053] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0129.053] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0129.053] CloseHandle (hObject=0x224) returned 1 [0129.053] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0129.054] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.054] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.055] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x224 [0129.055] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0129.055] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0129.055] CloseHandle (hObject=0x224) returned 1 [0129.055] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0129.056] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.056] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.056] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x224 [0129.056] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0129.056] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0129.057] CloseHandle (hObject=0x224) returned 1 [0129.057] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0129.058] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.058] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.058] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x224 [0129.058] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0129.058] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0129.058] CloseHandle (hObject=0x224) returned 1 [0129.058] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0129.059] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.059] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.059] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x224 [0129.059] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0129.060] QueryFullProcessImageNameW (in: hProcess=0x224, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0129.060] CloseHandle (hObject=0x224) returned 1 [0129.060] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0129.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x290 [0129.107] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0129.107] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0129.108] CloseHandle (hObject=0x290) returned 1 [0129.108] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0129.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x290 [0129.109] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0129.110] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0129.110] CloseHandle (hObject=0x290) returned 1 [0129.110] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0129.111] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x290 [0129.112] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0129.112] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0129.112] CloseHandle (hObject=0x290) returned 1 [0129.112] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0129.113] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.113] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.113] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x290 [0129.114] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0129.114] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0129.114] CloseHandle (hObject=0x290) returned 1 [0129.114] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0129.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x290 [0129.116] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0129.116] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0129.116] CloseHandle (hObject=0x290) returned 1 [0129.116] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0129.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x290 [0129.117] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0129.118] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0129.118] CloseHandle (hObject=0x290) returned 1 [0129.118] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0129.119] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x290 [0129.119] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0129.120] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0129.120] CloseHandle (hObject=0x290) returned 1 [0129.120] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0129.121] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.121] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.121] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x290 [0129.121] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0129.122] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0129.122] CloseHandle (hObject=0x290) returned 1 [0129.122] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0129.124] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.124] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.124] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x290 [0129.124] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0129.124] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0129.125] CloseHandle (hObject=0x290) returned 1 [0129.125] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0129.126] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.126] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.126] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x290 [0129.126] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0129.126] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0129.127] CloseHandle (hObject=0x290) returned 1 [0129.127] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0129.128] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.128] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.128] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x290 [0129.128] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0129.128] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0129.129] CloseHandle (hObject=0x290) returned 1 [0129.129] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0129.130] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.130] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.130] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x290 [0129.130] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0129.130] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0129.131] CloseHandle (hObject=0x290) returned 1 [0129.131] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0129.132] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.132] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.132] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x290 [0129.132] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0129.132] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0129.132] CloseHandle (hObject=0x290) returned 1 [0129.133] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0129.134] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.134] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.134] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x290 [0129.134] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0129.134] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0129.134] CloseHandle (hObject=0x290) returned 1 [0129.134] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0129.135] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.136] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.136] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x290 [0129.136] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0129.136] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0129.136] CloseHandle (hObject=0x290) returned 1 [0129.136] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0129.137] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.137] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x290 [0129.138] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0129.138] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0129.138] CloseHandle (hObject=0x290) returned 1 [0129.138] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0129.229] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.229] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.229] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x290 [0129.229] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0129.230] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0129.230] CloseHandle (hObject=0x290) returned 1 [0129.230] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0129.231] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.231] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.231] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x290 [0129.231] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0129.231] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0129.232] CloseHandle (hObject=0x290) returned 1 [0129.232] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1050, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1390, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0129.233] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.233] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.233] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1050) returned 0x0 [0129.233] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0129.234] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.234] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.234] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x290 [0129.234] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0129.235] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0129.235] CloseHandle (hObject=0x290) returned 1 [0129.235] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0129.236] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.236] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.236] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x290 [0129.236] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0129.237] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0129.237] CloseHandle (hObject=0x290) returned 1 [0129.237] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0129.238] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.238] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.238] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x290 [0129.238] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0129.238] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0129.239] CloseHandle (hObject=0x290) returned 1 [0129.239] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0129.240] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.240] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.240] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x290 [0129.240] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0129.240] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0129.240] CloseHandle (hObject=0x290) returned 1 [0129.241] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0129.242] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.242] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x290 [0129.242] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0129.242] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0129.242] CloseHandle (hObject=0x290) returned 1 [0129.243] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0129.244] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.244] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.244] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x290 [0129.244] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0129.244] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0129.244] CloseHandle (hObject=0x290) returned 1 [0129.244] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0129.245] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.246] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb94) returned 0x290 [0129.246] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0129.246] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0129.246] CloseHandle (hObject=0x290) returned 1 [0129.246] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0129.247] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.247] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.247] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1360) returned 0x290 [0129.247] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0129.248] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0129.248] CloseHandle (hObject=0x290) returned 1 [0129.250] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="LogonUI.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LogonUI.exeetrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 11 [0129.251] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="msaccess.exe", cchWideChar=12, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msaccess.exeexeetrationVerifier.exeexe", lpUsedDefaultChar=0x0) returned 12 [0129.251] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0129.252] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.252] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.252] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1310) returned 0x290 [0129.252] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0129.253] GetLastError () returned 0x1f [0129.253] QueryFullProcessImageNameW (in: hProcess=0x290, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0129.253] CloseHandle (hObject=0x290) returned 1 [0129.330] Process32Next (in: hSnapshot=0x20c, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x83aa0, th32ModuleID=0x50000, cntThreads=0x2b, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x0, szExeFile="??")) returned 0 [0129.330] CloseHandle (hObject=0x20c) returned 1 [0129.634] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0129.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x34a788, cbMultiByte=12, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="msftesql.exeexexeċssvc.exe") returned 12 [0129.634] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0129.634] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ac [0129.655] Process32First (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.656] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.656] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.657] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0129.657] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0129.658] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.658] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.658] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x2b0 [0129.658] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0129.658] GetLastError () returned 0x1f [0129.658] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0129.658] CloseHandle (hObject=0x2b0) returned 1 [0129.988] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0129.989] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.989] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.989] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x2b0 [0129.989] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0129.990] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0129.990] CloseHandle (hObject=0x2b0) returned 1 [0129.990] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.991] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.991] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.992] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0129.992] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0129.993] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.995] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.995] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x2b0 [0129.995] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0129.995] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0129.995] CloseHandle (hObject=0x2b0) returned 1 [0129.995] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0129.996] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.997] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.997] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0129.997] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0129.998] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0129.998] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0129.998] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x2b0 [0129.998] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0129.999] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0129.999] CloseHandle (hObject=0x2b0) returned 1 [0129.999] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.000] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.000] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x2b0 [0130.000] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0130.000] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0130.001] CloseHandle (hObject=0x2b0) returned 1 [0130.001] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.002] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x2b0 [0130.002] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0130.002] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0130.003] CloseHandle (hObject=0x2b0) returned 1 [0130.003] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.004] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x2b0 [0130.004] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.004] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.005] CloseHandle (hObject=0x2b0) returned 1 [0130.005] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0130.007] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.007] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.007] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0130.007] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0130.008] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.008] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.008] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0130.008] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.009] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x2b0 [0130.009] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.009] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.010] CloseHandle (hObject=0x2b0) returned 1 [0130.010] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.011] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0130.011] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x2b0 [0130.012] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.012] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.013] CloseHandle (hObject=0x2b0) returned 1 [0130.013] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.014] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.014] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.014] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x2b0 [0130.014] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.014] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.015] CloseHandle (hObject=0x2b0) returned 1 [0130.015] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.016] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.016] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.016] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x2b0 [0130.016] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.016] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.016] CloseHandle (hObject=0x2b0) returned 1 [0130.016] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.017] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.017] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.017] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x2b0 [0130.017] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.018] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.018] CloseHandle (hObject=0x2b0) returned 1 [0130.018] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.019] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.019] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.019] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x2b0 [0130.019] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.019] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.020] CloseHandle (hObject=0x2b0) returned 1 [0130.020] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.090] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.090] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x2b0 [0130.090] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.091] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.091] CloseHandle (hObject=0x2b0) returned 1 [0130.091] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.092] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.092] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.092] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x2b0 [0130.092] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.092] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.093] CloseHandle (hObject=0x2b0) returned 1 [0130.093] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.094] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.094] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.094] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x2b0 [0130.094] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.094] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.094] CloseHandle (hObject=0x2b0) returned 1 [0130.094] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.095] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.095] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x2b0 [0130.095] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.096] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.096] CloseHandle (hObject=0x2b0) returned 1 [0130.096] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.097] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.097] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.097] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x2b0 [0130.097] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.097] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.098] CloseHandle (hObject=0x2b0) returned 1 [0130.098] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.098] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.099] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.099] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x2b0 [0130.099] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.099] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.099] CloseHandle (hObject=0x2b0) returned 1 [0130.099] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.100] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.100] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x2b0 [0130.100] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0130.101] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0130.101] CloseHandle (hObject=0x2b0) returned 1 [0130.101] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.102] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.102] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x2b0 [0130.102] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0130.102] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0130.102] CloseHandle (hObject=0x2b0) returned 1 [0130.103] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0130.103] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.104] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.104] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x2b0 [0130.104] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0130.104] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0130.104] CloseHandle (hObject=0x2b0) returned 1 [0130.104] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.105] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.105] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.105] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x2b0 [0130.105] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.106] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.106] CloseHandle (hObject=0x2b0) returned 1 [0130.106] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0130.107] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.107] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.107] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x2b0 [0130.107] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.108] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.108] CloseHandle (hObject=0x2b0) returned 1 [0130.108] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.109] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.109] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.109] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x2b0 [0130.109] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.109] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.110] CloseHandle (hObject=0x2b0) returned 1 [0130.110] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0130.110] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.111] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.111] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x2b0 [0130.111] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0130.111] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0130.111] CloseHandle (hObject=0x2b0) returned 1 [0130.111] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0130.112] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.112] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.112] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x2b0 [0130.112] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0130.113] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0130.113] CloseHandle (hObject=0x2b0) returned 1 [0130.113] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0130.114] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.114] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.114] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x2b0 [0130.114] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0130.114] GetLastError () returned 0x1f [0130.114] QueryFullProcessImageNameW (in: hProcess=0x2b0, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0130.114] CloseHandle (hObject=0x2b0) returned 1 [0130.190] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0130.191] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.191] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.191] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x2bc [0130.191] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.192] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.192] CloseHandle (hObject=0x2bc) returned 1 [0130.192] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0130.193] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.193] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x2bc [0130.193] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0130.193] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0130.194] CloseHandle (hObject=0x2bc) returned 1 [0130.194] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0130.195] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.195] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.195] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x2bc [0130.195] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0130.195] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0130.195] CloseHandle (hObject=0x2bc) returned 1 [0130.196] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0130.196] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.196] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.197] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0130.197] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0130.197] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.198] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.198] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0130.198] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.199] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.199] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.199] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x2bc [0130.199] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.199] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.199] CloseHandle (hObject=0x2bc) returned 1 [0130.199] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0130.200] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.200] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.200] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x2bc [0130.201] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0130.201] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0130.201] CloseHandle (hObject=0x2bc) returned 1 [0130.201] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0130.202] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.202] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.202] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x2bc [0130.202] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0130.203] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0130.203] CloseHandle (hObject=0x2bc) returned 1 [0130.203] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0130.204] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.204] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.204] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x2bc [0130.204] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0130.205] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0130.205] CloseHandle (hObject=0x2bc) returned 1 [0130.205] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0130.206] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.206] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.206] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x2bc [0130.206] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0130.206] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0130.206] CloseHandle (hObject=0x2bc) returned 1 [0130.207] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0130.207] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.208] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.208] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x2bc [0130.208] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0130.208] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0130.208] CloseHandle (hObject=0x2bc) returned 1 [0130.208] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0130.209] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.209] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.209] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x2bc [0130.209] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0130.210] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0130.210] CloseHandle (hObject=0x2bc) returned 1 [0130.210] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0130.211] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.211] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.211] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x2bc [0130.211] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0130.211] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0130.212] CloseHandle (hObject=0x2bc) returned 1 [0130.212] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0130.212] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.213] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.213] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x2bc [0130.213] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0130.213] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0130.213] CloseHandle (hObject=0x2bc) returned 1 [0130.213] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0130.214] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.214] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x2bc [0130.214] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0130.215] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0130.215] CloseHandle (hObject=0x2bc) returned 1 [0130.215] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0130.216] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.216] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x2bc [0130.216] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0130.270] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0130.270] CloseHandle (hObject=0x2bc) returned 1 [0130.270] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0130.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.271] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.271] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x2bc [0130.271] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0130.272] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0130.272] CloseHandle (hObject=0x2bc) returned 1 [0130.272] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0130.273] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.273] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.273] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x2bc [0130.273] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0130.273] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0130.274] CloseHandle (hObject=0x2bc) returned 1 [0130.274] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0130.275] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.275] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.275] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x2bc [0130.275] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0130.275] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0130.275] CloseHandle (hObject=0x2bc) returned 1 [0130.275] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0130.276] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.276] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.276] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x2bc [0130.277] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0130.277] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0130.277] CloseHandle (hObject=0x2bc) returned 1 [0130.277] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0130.278] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.278] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.278] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x2bc [0130.278] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0130.279] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0130.279] CloseHandle (hObject=0x2bc) returned 1 [0130.279] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0130.280] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.280] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x2bc [0130.280] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0130.281] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0130.281] CloseHandle (hObject=0x2bc) returned 1 [0130.281] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0130.282] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.282] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.282] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x2bc [0130.282] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0130.282] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0130.282] CloseHandle (hObject=0x2bc) returned 1 [0130.283] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0130.283] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.284] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.284] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x2bc [0130.284] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0130.284] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0130.284] CloseHandle (hObject=0x2bc) returned 1 [0130.284] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0130.286] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.286] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.286] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x2bc [0130.286] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.286] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.286] CloseHandle (hObject=0x2bc) returned 1 [0130.287] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0130.288] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.288] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.288] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x2bc [0130.288] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0130.288] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0130.289] CloseHandle (hObject=0x2bc) returned 1 [0130.289] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0130.290] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.290] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.290] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x2bc [0130.290] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.291] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.291] CloseHandle (hObject=0x2bc) returned 1 [0130.291] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0130.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.292] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.293] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x2bc [0130.293] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0130.293] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0130.293] CloseHandle (hObject=0x2bc) returned 1 [0130.293] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0130.295] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.296] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.296] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x2bc [0130.296] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0130.296] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0130.296] CloseHandle (hObject=0x2bc) returned 1 [0130.296] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0130.298] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.298] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.298] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x2bc [0130.298] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.298] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.299] CloseHandle (hObject=0x2bc) returned 1 [0130.299] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0130.300] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.300] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.300] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x2bc [0130.300] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0130.301] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0130.301] CloseHandle (hObject=0x2bc) returned 1 [0130.301] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0130.302] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.302] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.302] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x2bc [0130.303] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0130.303] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0130.303] CloseHandle (hObject=0x2bc) returned 1 [0130.303] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0130.304] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.305] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.305] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x2bc [0130.305] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0130.305] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0130.305] CloseHandle (hObject=0x2bc) returned 1 [0130.305] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0130.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.307] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.307] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x2bc [0130.307] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0130.307] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0130.307] CloseHandle (hObject=0x2bc) returned 1 [0130.307] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0130.309] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.309] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.309] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x2bc [0130.309] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0130.309] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0130.310] CloseHandle (hObject=0x2bc) returned 1 [0130.310] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0130.363] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.363] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x2bc [0130.363] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0130.363] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0130.364] CloseHandle (hObject=0x2bc) returned 1 [0130.364] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0130.365] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.365] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.365] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x2bc [0130.365] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.366] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.366] CloseHandle (hObject=0x2bc) returned 1 [0130.366] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0130.367] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.368] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x2bc [0130.368] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.368] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.368] CloseHandle (hObject=0x2bc) returned 1 [0130.368] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0130.370] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.370] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x2bc [0130.370] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0130.370] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0130.370] CloseHandle (hObject=0x2bc) returned 1 [0130.371] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0130.372] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.372] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.372] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x2bc [0130.372] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0130.372] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0130.373] CloseHandle (hObject=0x2bc) returned 1 [0130.373] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0130.374] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.374] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x2bc [0130.375] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0130.375] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0130.375] CloseHandle (hObject=0x2bc) returned 1 [0130.375] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0130.376] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.377] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.377] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x2bc [0130.377] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0130.377] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0130.377] CloseHandle (hObject=0x2bc) returned 1 [0130.377] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0130.379] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.379] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.379] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x2bc [0130.379] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.379] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.379] CloseHandle (hObject=0x2bc) returned 1 [0130.379] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0130.381] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.381] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.381] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x2bc [0130.381] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0130.381] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0130.381] CloseHandle (hObject=0x2bc) returned 1 [0130.382] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0130.383] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.383] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.383] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x2bc [0130.383] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.383] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.384] CloseHandle (hObject=0x2bc) returned 1 [0130.384] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0130.385] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.385] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.385] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x2bc [0130.385] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0130.386] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0130.386] CloseHandle (hObject=0x2bc) returned 1 [0130.386] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0130.387] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.387] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.387] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x2bc [0130.387] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0130.388] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0130.388] CloseHandle (hObject=0x2bc) returned 1 [0130.388] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0130.389] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.390] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.390] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x2bc [0130.390] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0130.390] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0130.390] CloseHandle (hObject=0x2bc) returned 1 [0130.390] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0130.391] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.392] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.392] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x2bc [0130.392] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0130.392] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0130.392] CloseHandle (hObject=0x2bc) returned 1 [0130.392] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0130.394] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.394] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.394] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x2bc [0130.394] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0130.394] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0130.394] CloseHandle (hObject=0x2bc) returned 1 [0130.394] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0130.396] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.396] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.396] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x2bc [0130.396] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0130.396] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0130.396] CloseHandle (hObject=0x2bc) returned 1 [0130.396] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0130.398] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.398] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.398] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x2bc [0130.398] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0130.398] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0130.398] CloseHandle (hObject=0x2bc) returned 1 [0130.399] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0130.400] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.400] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.400] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x2bc [0130.400] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0130.400] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0130.401] CloseHandle (hObject=0x2bc) returned 1 [0130.401] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0130.402] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.402] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.402] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x2bc [0130.402] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0130.402] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0130.403] CloseHandle (hObject=0x2bc) returned 1 [0130.403] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0130.404] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.454] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.454] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x2bc [0130.455] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0130.455] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0130.455] CloseHandle (hObject=0x2bc) returned 1 [0130.455] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0130.456] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.457] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x2bc [0130.457] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0130.457] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0130.457] CloseHandle (hObject=0x2bc) returned 1 [0130.457] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0130.458] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.459] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x2bc [0130.459] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0130.459] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0130.459] CloseHandle (hObject=0x2bc) returned 1 [0130.459] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0130.460] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.461] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x2bc [0130.461] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0130.461] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0130.461] CloseHandle (hObject=0x2bc) returned 1 [0130.461] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0130.462] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.463] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.463] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x2bc [0130.463] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0130.463] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0130.463] CloseHandle (hObject=0x2bc) returned 1 [0130.463] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0130.464] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.465] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.465] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x2bc [0130.465] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0130.465] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0130.465] CloseHandle (hObject=0x2bc) returned 1 [0130.465] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0130.466] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.467] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.467] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x2bc [0130.467] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0130.467] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0130.467] CloseHandle (hObject=0x2bc) returned 1 [0130.467] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0130.468] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.469] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.469] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x2bc [0130.469] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0130.469] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0130.469] CloseHandle (hObject=0x2bc) returned 1 [0130.469] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0130.471] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.471] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.471] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11f0) returned 0x2bc [0130.471] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0130.471] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Security\\mxslipstream.exe", lpdwSize=0x10bf57c) returned 1 [0130.471] CloseHandle (hObject=0x2bc) returned 1 [0130.471] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0130.472] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.473] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.473] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1204) returned 0x2bc [0130.473] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0130.473] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\omnipos.exe", lpdwSize=0x10bf57c) returned 1 [0130.473] CloseHandle (hObject=0x2bc) returned 1 [0130.473] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0130.475] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.475] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.475] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1218) returned 0x2bc [0130.475] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0130.475] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\WindowsPowerShell\\spcwin.exe", lpdwSize=0x10bf57c) returned 1 [0130.475] CloseHandle (hObject=0x2bc) returned 1 [0130.475] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x122c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0130.476] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.477] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.477] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x122c) returned 0x2bc [0130.477] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0130.477] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\spgagentservice.exe", lpdwSize=0x10bf57c) returned 1 [0130.477] CloseHandle (hObject=0x2bc) returned 1 [0130.477] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0130.478] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.479] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.479] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1240) returned 0x2bc [0130.479] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0130.479] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\utg2.exe", lpdwSize=0x10bf57c) returned 1 [0130.479] CloseHandle (hObject=0x2bc) returned 1 [0130.479] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="jessica.exe")) returned 1 [0130.480] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.481] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.481] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1254) returned 0x2bc [0130.481] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0130.481] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\jessica.exe", lpdwSize=0x10bf57c) returned 1 [0130.481] CloseHandle (hObject=0x2bc) returned 1 [0130.481] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="surface-freely.exe")) returned 1 [0130.483] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.483] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.483] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1268) returned 0x2bc [0130.483] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0130.483] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\surface-freely.exe", lpdwSize=0x10bf57c) returned 1 [0130.483] CloseHandle (hObject=0x2bc) returned 1 [0130.483] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x127c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="virginia-converter-meal.exe")) returned 1 [0130.484] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.485] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.485] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x127c) returned 0x2bc [0130.485] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0130.485] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\virginia-converter-meal.exe", lpdwSize=0x10bf57c) returned 1 [0130.485] CloseHandle (hObject=0x2bc) returned 1 [0130.485] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smoking last.exe")) returned 1 [0130.486] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.486] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.486] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1290) returned 0x2bc [0130.487] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0130.487] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\smoking last.exe", lpdwSize=0x10bf57c) returned 1 [0130.487] CloseHandle (hObject=0x2bc) returned 1 [0130.487] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0130.488] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.488] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.488] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1380) returned 0x2bc [0130.488] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.489] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.489] CloseHandle (hObject=0x2bc) returned 1 [0130.489] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0130.490] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.490] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.490] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13a8) returned 0x2bc [0130.490] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0130.491] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\DeviceCensus.exe", lpdwSize=0x10bf57c) returned 1 [0130.491] CloseHandle (hObject=0x2bc) returned 1 [0130.491] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0130.492] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.492] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.492] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b0) returned 0x2bc [0130.492] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0130.492] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\UNP\\UNPCampaignManager.exe", lpdwSize=0x10bf57c) returned 1 [0130.493] CloseHandle (hObject=0x2bc) returned 1 [0130.493] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0130.494] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.494] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.494] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x2bc [0130.494] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0130.494] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0130.494] CloseHandle (hObject=0x2bc) returned 1 [0130.494] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0130.495] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.496] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.496] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13c8) returned 0x2bc [0130.496] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0130.496] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\root\\Office16\\msoia.exe", lpdwSize=0x10bf57c) returned 1 [0130.496] CloseHandle (hObject=0x2bc) returned 1 [0130.496] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e8, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0130.497] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.497] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.498] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13d0) returned 0x2bc [0130.547] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0130.547] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\AppHostRegistrationVerifier.exe", lpdwSize=0x10bf57c) returned 1 [0130.548] CloseHandle (hObject=0x2bc) returned 1 [0130.548] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x108c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x13a8, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0130.549] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.549] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.549] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108c) returned 0x2bc [0130.549] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0130.549] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\conhost.exe", lpdwSize=0x10bf57c) returned 1 [0130.549] CloseHandle (hObject=0x2bc) returned 1 [0130.550] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0130.551] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.551] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.551] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xde4) returned 0x2bc [0130.551] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0130.551] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\Desktop\\234561.exe", lpdwSize=0x10bf57c) returned 1 [0130.551] CloseHandle (hObject=0x2bc) returned 1 [0130.551] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.553] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.553] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1198) returned 0x2bc [0130.553] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.553] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.553] CloseHandle (hObject=0x2bc) returned 1 [0130.553] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x112c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.554] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.554] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.554] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x12b4) returned 0x2bc [0130.554] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.555] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.555] CloseHandle (hObject=0x2bc) returned 1 [0130.555] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1134, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x112c, pcPriClassBase=4, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0130.556] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.556] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.556] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1134) returned 0x2bc [0130.556] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0130.556] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0130.557] CloseHandle (hObject=0x2bc) returned 1 [0130.557] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x88c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0130.558] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.558] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.558] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x88c) returned 0x2bc [0130.558] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0130.558] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wbem\\WMIADAP.exe", lpdwSize=0x10bf57c) returned 1 [0130.558] CloseHandle (hObject=0x2bc) returned 1 [0130.559] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0130.560] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.560] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.560] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xb94) returned 0x2bc [0130.560] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0130.560] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SysWOW64\\WerFault.exe", lpdwSize=0x10bf57c) returned 1 [0130.560] CloseHandle (hObject=0x2bc) returned 1 [0130.560] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0130.561] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.561] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.561] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1360) returned 0x2bc [0130.562] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.562] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61304, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.562] CloseHandle (hObject=0x2bc) returned 1 [0130.562] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xde4, pcPriClassBase=8, dwFlags=0x0, szExeFile="234561.exe")) returned 1 [0130.563] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.563] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.563] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1310) returned 0x2bc [0130.563] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0130.563] GetLastError () returned 0x1f [0130.563] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0130.564] CloseHandle (hObject=0x2bc) returned 1 [0130.586] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x773d15ca, th32ProcessID=0xbbdb7610, th32DefaultHeapID=0x827a8, th32ModuleID=0x50000, cntThreads=0x2b, th32ParentProcessID=0x52cd8, pcPriClassBase=1943904196, dwFlags=0x12000012, szExeFile="??????")) returned 0 [0130.587] CloseHandle (hObject=0x2ac) returned 1 [0130.684] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10bf618, nSize=0x105 | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0130.684] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x359828, cbMultiByte=9, lpWideCharStr=0x10be720, cchWideChar=2047 | out: lpWideCharStr="mspub.exeexeexexeċssvc.exe") returned 9 [0130.684] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10bf388, nSize=0x20a | out: lpFilename="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\explorer.exe")) returned 0x3e [0130.684] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ac [0130.695] Process32First (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0130.696] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.696] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.696] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0130.697] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exe", lpUsedDefaultChar=0x0) returned 9 [0130.697] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0130.698] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.698] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.698] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x2bc [0130.698] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0130.698] GetLastError () returned 0x1f [0130.698] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\LogonUI.exe", lpdwSize=0x10bf57c) returned 0 [0130.698] CloseHandle (hObject=0x2bc) returned 1 [0130.714] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0130.715] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.715] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.715] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x144) returned 0x2bc [0130.715] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0130.715] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x10bf57c) returned 1 [0130.716] CloseHandle (hObject=0x2bc) returned 1 [0130.716] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.717] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.717] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.717] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x19c) returned 0x0 [0130.718] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe.exe", lpUsedDefaultChar=0x0) returned 8 [0130.719] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exeexe.exe", lpUsedDefaultChar=0x0) returned 9 [0130.719] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0130.720] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.720] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.720] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1ec) returned 0x2bc [0130.720] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0130.721] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x10bf57c) returned 1 [0130.721] CloseHandle (hObject=0x2bc) returned 1 [0130.722] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exee", lpUsedDefaultChar=0x0) returned 11 [0130.724] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exeit.exee", lpUsedDefaultChar=0x0) returned 9 [0130.724] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0130.724] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.725] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.725] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1f4) returned 0x0 [0130.726] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exee", lpUsedDefaultChar=0x0) returned 11 [0130.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exeit.exee", lpUsedDefaultChar=0x0) returned 9 [0130.727] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0130.728] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.728] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.728] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x230) returned 0x2bc [0130.728] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0130.729] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x10bf57c) returned 1 [0130.729] CloseHandle (hObject=0x2bc) returned 1 [0130.731] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0130.732] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.exegon.exe", lpUsedDefaultChar=0x0) returned 9 [0130.732] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0130.789] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.789] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.790] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x24c) returned 0x2bc [0130.790] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0130.790] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x10bf57c) returned 1 [0130.790] CloseHandle (hObject=0x2bc) returned 1 [0130.792] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0130.793] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mspub.exe", cchWideChar=9, lpMultiByteStr=0x10be578, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mspub.execes.exe", lpUsedDefaultChar=0x0) returned 9 [0130.793] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0130.794] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.794] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.794] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x254) returned 0x2bc [0130.795] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0130.795] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x6254c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x10bf57c) returned 1 [0130.795] CloseHandle (hObject=0x2bc) returned 1 [0130.797] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x10be57c, cbMultiByte=4095, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exeexe", lpUsedDefaultChar=0x0) returned 9 [0130.797] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.798] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.798] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.798] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2bc) returned 0x2bc [0130.798] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.799] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.799] CloseHandle (hObject=0x2bc) returned 1 [0130.800] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0130.800] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.800] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.801] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0130.801] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0130.801] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.802] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.802] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2cc) returned 0x0 [0130.802] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x31c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.802] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.803] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.803] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x31c) returned 0x2bc [0130.803] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.803] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.803] CloseHandle (hObject=0x2bc) returned 1 [0130.803] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0130.804] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.804] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.804] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x394) returned 0x0 [0130.804] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.805] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.805] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.805] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3bc) returned 0x2bc [0130.806] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.806] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.806] CloseHandle (hObject=0x2bc) returned 1 [0130.806] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x66, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.807] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.807] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.807] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3e8) returned 0x2bc [0130.807] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.807] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.808] CloseHandle (hObject=0x2bc) returned 1 [0130.808] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.809] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.809] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.809] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf8) returned 0x2bc [0130.809] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.809] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.809] CloseHandle (hObject=0x2bc) returned 1 [0130.809] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.810] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.810] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.810] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x16c) returned 0x2bc [0130.810] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.811] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.811] CloseHandle (hObject=0x2bc) returned 1 [0130.811] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.812] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.812] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.812] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x368) returned 0x2bc [0130.812] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.812] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.813] CloseHandle (hObject=0x2bc) returned 1 [0130.813] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x47c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.813] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.814] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.814] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x47c) returned 0x2bc [0130.814] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.814] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.814] CloseHandle (hObject=0x2bc) returned 1 [0130.814] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.815] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.815] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.815] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x538) returned 0x2bc [0130.815] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.816] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.816] CloseHandle (hObject=0x2bc) returned 1 [0130.816] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.817] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.817] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.817] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5b4) returned 0x2bc [0130.817] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.817] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.818] CloseHandle (hObject=0x2bc) returned 1 [0130.818] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.818] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.819] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.819] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5e4) returned 0x2bc [0130.819] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.819] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.819] CloseHandle (hObject=0x2bc) returned 1 [0130.819] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.820] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.820] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.820] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5ec) returned 0x2bc [0130.820] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.821] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.821] CloseHandle (hObject=0x2bc) returned 1 [0130.821] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.822] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.822] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.822] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x61c) returned 0x2bc [0130.822] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.822] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.822] CloseHandle (hObject=0x2bc) returned 1 [0130.822] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x640, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0130.823] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.823] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.823] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x640) returned 0x2bc [0130.824] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0130.824] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x10bf57c) returned 1 [0130.824] CloseHandle (hObject=0x2bc) returned 1 [0130.824] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x5b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0130.825] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.825] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.825] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6c4) returned 0x2bc [0130.825] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0130.826] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\audiodg.exe", lpdwSize=0x10bf57c) returned 1 [0130.864] CloseHandle (hObject=0x2bc) returned 1 [0130.864] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0130.865] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.865] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.865] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x70c) returned 0x2bc [0130.865] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0130.866] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\sihost.exe", lpdwSize=0x10bf57c) returned 1 [0130.866] CloseHandle (hObject=0x2bc) returned 1 [0130.866] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x71c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.867] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.867] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.867] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x71c) returned 0x2bc [0130.867] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.867] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.868] CloseHandle (hObject=0x2bc) returned 1 [0130.868] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0130.869] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.869] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.869] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x7b8) returned 0x2bc [0130.869] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.869] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\taskhostw.exe", lpdwSize=0x10bf57c) returned 1 [0130.869] CloseHandle (hObject=0x2bc) returned 1 [0130.869] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x6a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0130.870] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.870] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.871] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x740) returned 0x2bc [0130.871] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.871] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x62504, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x10bf57c) returned 1 [0130.871] CloseHandle (hObject=0x2bc) returned 1 [0130.871] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x894, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0130.872] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.872] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.872] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x894) returned 0x2bc [0130.872] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0130.873] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x10bf57c) returned 1 [0130.873] CloseHandle (hObject=0x2bc) returned 1 [0130.873] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0130.874] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.874] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.874] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8cc) returned 0x2bc [0130.874] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0130.874] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 1 [0130.875] CloseHandle (hObject=0x2bc) returned 1 [0130.875] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0130.876] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.876] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.876] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x964) returned 0x2bc [0130.876] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0130.876] GetLastError () returned 0x1f [0130.876] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\SecurityHealthService.exe", lpdwSize=0x10bf57c) returned 0 [0130.876] CloseHandle (hObject=0x2bc) returned 1 [0130.891] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0130.892] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.892] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x51c) returned 0x2bc [0130.892] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x70e8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.893] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe", lpdwSize=0x10bf57c) returned 1 [0130.893] CloseHandle (hObject=0x2bc) returned 1 [0130.893] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x524, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0130.893] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.894] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.894] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x524) returned 0x2bc [0130.894] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0130.894] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\SystemApps\\ShellExperienceHost_cw5n1h2txyewy\\ShellExperienceHost.exe", lpdwSize=0x10bf57c) returned 1 [0130.894] CloseHandle (hObject=0x2bc) returned 1 [0130.894] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x698, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0130.895] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.895] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x698) returned 0x2bc [0130.895] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0130.895] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\RuntimeBroker.exe", lpdwSize=0x10bf57c) returned 1 [0130.895] CloseHandle (hObject=0x2bc) returned 1 [0130.895] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0130.896] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.896] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.896] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe40) returned 0x0 [0130.896] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x56c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0130.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.897] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.897] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x56c) returned 0x0 [0130.897] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0130.897] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.898] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.898] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd78) returned 0x2bc [0130.898] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.898] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x10bf57c) returned 1 [0130.898] CloseHandle (hObject=0x2bc) returned 1 [0130.898] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="prairie-rebates.exe")) returned 1 [0130.899] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.899] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x78c) returned 0x2bc [0130.899] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0130.899] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Sidebar\\prairie-rebates.exe", lpdwSize=0x10bf57c) returned 1 [0130.899] CloseHandle (hObject=0x2bc) returned 1 [0130.899] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="tariff.exe")) returned 1 [0130.900] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.900] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.900] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe84) returned 0x2bc [0130.900] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0130.900] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\tariff.exe", lpdwSize=0x10bf57c) returned 1 [0130.901] CloseHandle (hObject=0x2bc) returned 1 [0130.901] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="crossing.exe")) returned 1 [0130.901] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.901] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.901] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x364) returned 0x2bc [0130.901] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0130.902] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Media Player\\crossing.exe", lpdwSize=0x10bf57c) returned 1 [0130.902] CloseHandle (hObject=0x2bc) returned 1 [0130.902] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="text.exe")) returned 1 [0130.902] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.902] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.903] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf68) returned 0x2bc [0130.903] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0130.903] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\text.exe", lpdwSize=0x10bf57c) returned 1 [0130.903] CloseHandle (hObject=0x2bc) returned 1 [0130.903] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="regarded freebsd olive.exe")) returned 1 [0130.904] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.904] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.904] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x2bc [0130.904] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0130.972] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\regarded freebsd olive.exe", lpdwSize=0x10bf57c) returned 1 [0130.972] CloseHandle (hObject=0x2bc) returned 1 [0130.972] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="two.exe")) returned 1 [0130.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.973] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.973] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa74) returned 0x2bc [0130.973] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0130.973] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\two.exe", lpdwSize=0x10bf57c) returned 1 [0130.973] CloseHandle (hObject=0x2bc) returned 1 [0130.973] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smart_migration_expect.exe")) returned 1 [0130.974] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.974] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.974] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xbac) returned 0x2bc [0130.974] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0130.974] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Photo Viewer\\smart_migration_expect.exe", lpdwSize=0x10bf57c) returned 1 [0130.974] CloseHandle (hObject=0x2bc) returned 1 [0130.974] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="average.exe")) returned 1 [0130.975] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.975] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.975] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x5f8) returned 0x2bc [0130.975] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0130.975] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\average.exe", lpdwSize=0x10bf57c) returned 1 [0130.976] CloseHandle (hObject=0x2bc) returned 1 [0130.976] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="boxing structures.exe")) returned 1 [0130.976] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.976] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.976] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf4) returned 0x2bc [0130.976] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0130.977] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office\\boxing structures.exe", lpdwSize=0x10bf57c) returned 1 [0130.977] CloseHandle (hObject=0x2bc) returned 1 [0130.977] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies.exe")) returned 1 [0130.977] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.978] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.978] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdf0) returned 0x2bc [0130.978] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0130.978] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\spies.exe", lpdwSize=0x10bf57c) returned 1 [0130.978] CloseHandle (hObject=0x2bc) returned 1 [0130.978] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x48c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="properly.exe")) returned 1 [0130.979] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.979] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.979] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x48c) returned 0x2bc [0130.979] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0130.979] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\properly.exe", lpdwSize=0x10bf57c) returned 1 [0130.979] CloseHandle (hObject=0x2bc) returned 1 [0130.979] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x76c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="revenue.exe")) returned 1 [0130.980] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.980] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.980] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x76c) returned 0x2bc [0130.980] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0130.980] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows NT\\revenue.exe", lpdwSize=0x10bf57c) returned 1 [0130.980] CloseHandle (hObject=0x2bc) returned 1 [0130.981] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="awards-dentists-likewise.exe")) returned 1 [0130.981] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.981] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.981] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe30) returned 0x2bc [0130.981] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0130.982] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\awards-dentists-likewise.exe", lpdwSize=0x10bf57c) returned 1 [0130.982] CloseHandle (hObject=0x2bc) returned 1 [0130.982] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe28, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="commissions_cannon.exe")) returned 1 [0130.983] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.983] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.983] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe28) returned 0x2bc [0130.983] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0130.983] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\commissions_cannon.exe", lpdwSize=0x10bf57c) returned 1 [0130.983] CloseHandle (hObject=0x2bc) returned 1 [0130.983] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmission discovered famous.exe")) returned 1 [0130.984] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.984] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.984] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd70) returned 0x2bc [0130.984] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0130.984] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x627d4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\transmission discovered famous.exe", lpdwSize=0x10bf57c) returned 1 [0130.985] CloseHandle (hObject=0x2bc) returned 1 [0130.985] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="hacker.exe")) returned 1 [0130.985] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.985] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.985] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xf30) returned 0x2bc [0130.986] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0130.986] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61e04, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\hacker.exe", lpdwSize=0x10bf57c) returned 1 [0130.986] CloseHandle (hObject=0x2bc) returned 1 [0130.986] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="death.exe")) returned 1 [0130.987] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.987] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.987] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xa44) returned 0x2bc [0130.987] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0130.987] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\death.exe", lpdwSize=0x10bf57c) returned 1 [0130.987] CloseHandle (hObject=0x2bc) returned 1 [0130.987] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ko_ferrari_inspired.exe")) returned 1 [0130.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.988] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.988] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xebc) returned 0x2bc [0130.988] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0130.988] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Microsoft.NET\\ko_ferrari_inspired.exe", lpdwSize=0x10bf57c) returned 1 [0130.988] CloseHandle (hObject=0x2bc) returned 1 [0130.988] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x484, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0130.989] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.990] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.990] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x484) returned 0x2bc [0130.990] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.990] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\3dftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.990] CloseHandle (hObject=0x2bc) returned 1 [0130.990] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0130.991] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.991] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.991] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x774) returned 0x2bc [0130.991] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0130.992] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\absolutetelnet.exe", lpdwSize=0x10bf57c) returned 1 [0130.992] CloseHandle (hObject=0x2bc) returned 1 [0130.992] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe78, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0130.993] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.993] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.993] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe78) returned 0x2bc [0130.993] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.993] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Photo Viewer\\alftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.993] CloseHandle (hObject=0x2bc) returned 1 [0130.994] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x498, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0130.995] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.995] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.995] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x498) returned 0x2bc [0130.995] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0130.995] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\barca.exe", lpdwSize=0x10bf57c) returned 1 [0130.995] CloseHandle (hObject=0x2bc) returned 1 [0130.995] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0130.996] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.996] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.996] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe74) returned 0x2bc [0130.996] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0130.997] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Mail\\bitkinex.exe", lpdwSize=0x10bf57c) returned 1 [0130.997] CloseHandle (hObject=0x2bc) returned 1 [0130.997] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0130.998] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0130.998] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0130.998] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfbc) returned 0x2bc [0130.998] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.998] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\coreftp.exe", lpdwSize=0x10bf57c) returned 1 [0130.999] CloseHandle (hObject=0x2bc) returned 1 [0130.999] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0131.000] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.000] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.000] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xe48) returned 0x2bc [0131.000] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0131.000] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\filezilla.exe", lpdwSize=0x10bf57c) returned 1 [0131.000] CloseHandle (hObject=0x2bc) returned 1 [0131.000] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0131.001] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.002] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.002] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdc8) returned 0x2bc [0131.002] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0131.002] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\flashfxp.exe", lpdwSize=0x10bf57c) returned 1 [0131.002] CloseHandle (hObject=0x2bc) returned 1 [0131.002] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0131.003] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.004] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.004] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x8e4) returned 0x2bc [0131.004] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0131.004] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\fling.exe", lpdwSize=0x10bf57c) returned 1 [0131.004] CloseHandle (hObject=0x2bc) returned 1 [0131.004] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0131.005] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.005] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.006] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xedc) returned 0x2bc [0131.006] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0131.006] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\foxmailincmail.exe", lpdwSize=0x10bf57c) returned 1 [0131.006] CloseHandle (hObject=0x2bc) returned 1 [0131.006] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0131.007] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.007] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.007] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfac) returned 0x2bc [0131.007] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0131.007] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\gmailnotifierpro.exe", lpdwSize=0x10bf57c) returned 1 [0131.008] CloseHandle (hObject=0x2bc) returned 1 [0131.008] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0131.009] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.009] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.009] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xfa0) returned 0x2bc [0131.009] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0131.009] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Multimedia Platform\\icq.exe", lpdwSize=0x10bf57c) returned 1 [0131.009] CloseHandle (hObject=0x2bc) returned 1 [0131.009] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0131.010] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.011] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.011] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x474) returned 0x2bc [0131.011] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.011] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\leechftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.011] CloseHandle (hObject=0x2bc) returned 1 [0131.011] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0131.012] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.012] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.012] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xdfc) returned 0x2bc [0131.012] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.012] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Media Player\\ncftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.013] CloseHandle (hObject=0x2bc) returned 1 [0131.013] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0131.115] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.115] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x488) returned 0x2bc [0131.115] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0131.116] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\notepad.exe", lpdwSize=0x10bf57c) returned 1 [0131.116] CloseHandle (hObject=0x2bc) returned 1 [0131.116] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0131.117] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.117] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.117] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1014) returned 0x2bc [0131.117] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0131.117] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Adobe\\operamail.exe", lpdwSize=0x10bf57c) returned 1 [0131.117] CloseHandle (hObject=0x2bc) returned 1 [0131.117] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0131.118] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.119] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1028) returned 0x2bc [0131.119] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0131.119] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows Sidebar\\outlook.exe", lpdwSize=0x10bf57c) returned 1 [0131.119] CloseHandle (hObject=0x2bc) returned 1 [0131.119] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0131.120] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.120] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.120] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1040) returned 0x2bc [0131.120] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0131.120] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Multimedia Platform\\pidgin.exe", lpdwSize=0x10bf57c) returned 1 [0131.121] CloseHandle (hObject=0x2bc) returned 1 [0131.121] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0131.122] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.122] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.122] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1054) returned 0x2bc [0131.122] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.122] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Mozilla Maintenance Service\\scriptftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.122] CloseHandle (hObject=0x2bc) returned 1 [0131.122] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1068, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0131.124] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.124] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.124] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1068) returned 0x2bc [0131.124] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0131.124] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\skype.exe", lpdwSize=0x10bf57c) returned 1 [0131.124] CloseHandle (hObject=0x2bc) returned 1 [0131.124] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0131.125] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.125] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.125] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x107c) returned 0x2bc [0131.125] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.126] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\smartftp.exe", lpdwSize=0x10bf57c) returned 1 [0131.126] CloseHandle (hObject=0x2bc) returned 1 [0131.126] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0131.127] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.127] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.127] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1090) returned 0x2bc [0131.127] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0131.127] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\thunderbird.exe", lpdwSize=0x10bf57c) returned 1 [0131.127] CloseHandle (hObject=0x2bc) returned 1 [0131.127] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0131.128] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.128] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.128] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10a4) returned 0x2bc [0131.128] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0131.129] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Uninstall Information\\totalcmd.exe", lpdwSize=0x10bf57c) returned 1 [0131.129] CloseHandle (hObject=0x2bc) returned 1 [0131.129] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0131.130] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.130] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.130] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10b8) returned 0x2bc [0131.130] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0131.131] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Windows NT\\trillian.exe", lpdwSize=0x10bf57c) returned 1 [0131.131] CloseHandle (hObject=0x2bc) returned 1 [0131.131] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0131.132] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.132] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.132] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10cc) returned 0x2bc [0131.132] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0131.133] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\rempl\\webdrive.exe", lpdwSize=0x10bf57c) returned 1 [0131.133] CloseHandle (hObject=0x2bc) returned 1 [0131.133] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0131.134] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.134] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.134] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10e4) returned 0x2bc [0131.134] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0131.134] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Reference Assemblies\\whatsapp.exe", lpdwSize=0x10bf57c) returned 1 [0131.134] CloseHandle (hObject=0x2bc) returned 1 [0131.134] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0131.135] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.135] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.135] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x10f8) returned 0x2bc [0131.136] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0131.136] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\MSBuild\\winscp.exe", lpdwSize=0x10bf57c) returned 1 [0131.136] CloseHandle (hObject=0x2bc) returned 1 [0131.136] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x110c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0131.137] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.137] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.137] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x110c) returned 0x2bc [0131.137] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0131.137] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Common Files\\yahoomessenger.exe", lpdwSize=0x10bf57c) returned 1 [0131.137] CloseHandle (hObject=0x2bc) returned 1 [0131.138] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1120, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0131.139] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.139] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.139] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1120) returned 0x2bc [0131.139] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0131.139] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Microsoft Office 15\\active-charge.exe", lpdwSize=0x10bf57c) returned 1 [0131.139] CloseHandle (hObject=0x2bc) returned 1 [0131.139] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0131.140] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.140] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.140] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1138) returned 0x2bc [0131.140] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0131.141] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Reference Assemblies\\accupos.exe", lpdwSize=0x10bf57c) returned 1 [0131.141] CloseHandle (hObject=0x2bc) returned 1 [0131.141] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1150, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0131.142] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.142] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.142] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1150) returned 0x2bc [0131.142] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0131.142] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Common Files\\afr38.exe", lpdwSize=0x10bf57c) returned 1 [0131.142] CloseHandle (hObject=0x2bc) returned 1 [0131.142] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0131.143] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.143] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.143] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1164) returned 0x2bc [0131.143] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0131.144] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Mozilla Firefox\\aldelo.exe", lpdwSize=0x10bf57c) returned 1 [0131.144] CloseHandle (hObject=0x2bc) returned 1 [0131.144] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0131.145] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.145] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.145] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1178) returned 0x2bc [0131.145] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0131.145] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\ccv_server.exe", lpdwSize=0x10bf57c) returned 1 [0131.145] CloseHandle (hObject=0x2bc) returned 1 [0131.145] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x118c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0131.146] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.146] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.146] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x118c) returned 0x2bc [0131.146] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0131.147] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Java\\centralcreditcard.exe", lpdwSize=0x10bf57c) returned 1 [0131.147] CloseHandle (hObject=0x2bc) returned 1 [0131.147] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0131.148] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.148] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.148] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11a0) returned 0x2bc [0131.148] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0131.148] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Google\\creditservice.exe", lpdwSize=0x10bf57c) returned 1 [0131.148] CloseHandle (hObject=0x2bc) returned 1 [0131.148] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0131.149] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.149] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.149] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11b4) returned 0x2bc [0131.149] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0131.150] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\edcsvr.exe", lpdwSize=0x10bf57c) returned 1 [0131.150] CloseHandle (hObject=0x2bc) returned 1 [0131.150] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0131.151] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.151] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.151] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11c8) returned 0x2bc [0131.151] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0131.151] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x5e36c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Portable Devices\\fpos.exe", lpdwSize=0x10bf57c) returned 1 [0131.151] CloseHandle (hObject=0x2bc) returned 1 [0131.151] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0131.152] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.152] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") returned 0x74047fc0 [0131.152] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x11dc) returned 0x2bc [0131.152] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x710a4, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0131.153] QueryFullProcessImageNameW (in: hProcess=0x2bc, dwFlags=0x0, lpExeName=0x61b8c, lpdwSize=0x10bf57c | out: lpExeName="C:\\Program Files\\Windows Defender Advanced Threat Protection\\isspos.exe", lpdwSize=0x10bf57c) returned 1 [0131.153] CloseHandle (hObject=0x2bc) returned 1 [0131.153] Process32Next (in: hSnapshot=0x2ac, lppe=0x10bf5f8 | out: lppe=0x10bf5f8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x740, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0131.154] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x74030000 [0131.154] GetProcAddress (hModule=0x74030000, lpProcName="QueryFullProcessImageNameW") Process: id = "8" image_name = "notepad.exe" filename = "c:\\windows\\syswow64\\notepad.exe" page_root = "0x85d5000" os_pid = "0x1134" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x112c" cmd_line = "notepad.exe" cur_dir = "C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 43 os_tid = 0x7b4 Thread: id = 44 os_tid = 0x5e0 Thread: id = 45 os_tid = 0x12b0 Thread: id = 50 os_tid = 0x1220 Process: id = "9" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6cbfb000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde4" cmd_line = "C:\\WINDOWS\\SysWOW64\\WerFault.exe -u -p 3556 -s 1052" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x1350 Thread: id = 47 os_tid = 0x13e4 Thread: id = 48 os_tid = 0x1354 Thread: id = 49 os_tid = 0xf70 Process: id = "10" image_name = "234561.exe" filename = "c:\\users\\fd1hvy\\desktop\\234561.exe" page_root = "0x558ea000" os_pid = "0x1310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xde4" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\234561.exe\" " cur_dir = "C:\\WINDOWS\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000faa5" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]